Deployment Architecture

Can Splunk Do This? -> Blacklist some splunk indexers In Custom search command for distributed search.

lpolo
Motivator

I read this answer:

[http://splunk-base.splunk.com/answers/31681/custom-search-command-for-distributed-search][1]

and follow the instructions from this answer:

[http://splunk-base.splunk.com/answers/46970/search-command-from-master-head][1]

It partially solve my problem.

I have a custom search command that can only be executed in a specific Splunk indexer. I need to run this search command from the master head. The main constrain I have is that the custom search command must run in a DMZ network area.

If I enable streaming=true the custom search will be distributed across all the splunk indexer. Therefore, the query will fail in the splunk indexers that cannot execute the custom search and it will take a lot of time to complete the execution.

If I try:

splunk_server=dmz.indexer.com|customsearch

I get this error:

Error in 'customsearch' command: This command must be the first command of a search

How can I solve this problem?

Thanks for your help.

Tags (1)
0 Karma

lpolo
Motivator

Thanks Mario.
Master head: Version 4.3
Indexer: Version 4.2.1

The search command is just a WEB REST call then the result set is presented to the user. This Web REST call can only be executed in the DMZ environment "The indexer is found in this environment". That is why, I need to exclude the indexers that cannot access this network.

0 Karma

sdwilkerson
Contributor

lpolo,

Without knowing anything more about this custom search command, maybe you can just try a subsearch. This works for other splunk built-in commands that must appear first.

For instance, something like this might/should work:

search> customsearch [search splunk_server=dmz.indexer.com]

Essentially, in a subsearch, what is in the brackets is the "inner search," which says do this search and then pass the results to what is outside of the brackets (the outer search).

You may need to muck with setting earliest and latest to set your times in the inner search to ensure the data you are looking for is included properly.

Best,

Sean

0 Karma

lpolo
Motivator

Thanks for your answer but the solution of the problem is not about sub-search it is about how to exclude "blacklist" splunk indexers from a custom search command for distributed search.

0 Karma

MarioM
Motivator

what your custom search command does? which version of splunk are you running?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...