Knowledge Management

how do you configure the search head so it sends 2 summary index data to 2 separate indexer

gmenghini
New Member

I have a problem with the configuration/definition of 2 separate summary indexes for storing data on to 2 separate indexer. Let me try to explain the situation and the problem in detail:

1) I have 2 separate Indexer (2 separate Servers). Lets say Indexer A and Indexer B.
2) I have one Search Head (1 Server) with 2 separate Apps. Lets say App 1 and App 2.
3) In App 1 I want to collect the results of my searches in a „summary index AB“ on Indexer A.
4) In App 2 I want to collect the results of my searches in a „summary index BC“ on Indexer B.

I know that the indexer server’s names can be configured in the output.conf file. However, I do not know how to define server specific summary indexes. That is, how can I configure that the results in App 1 are collected in summary index AB on Index A, and analogously for the results in App 2? As far as I understand, in the inputs.conf you cannot define the name of a summary index. Or am I wrong? I hope my description is understandable…

Your help is very much appreciated!

0 Karma

gmenghini
New Member

Hi Somesoni2

Many thanks for your answer. We tried your proposal, however, it does not work. Do we have to consider something special when executing the collect statement? Or something when configuring the summary index? We do not receive any error message.

Generally, we wonder how other apps handle it? We basically just want to collect the results of an app into a specific summary index. And the search head with the app is connecting to different indexer.

Again, thanks for your appreciated help!

Best regards

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This is very un-usual requirement that you've here. One option that might work would to have a props/transform setting that will override the TCP routing to specific indexers. The props/transforms will not have any reference to apps and summary indexing will have same host and sourcetype, so you'd need to override the TCP routing based on source which is the name of the summary index search. So what you need to do is to ensure that all summary index search from App1 should have same prefix (so that you don't have to update configuration every time you add a new search) and all summary index search from App2 should have same prefix which is different from App1's preefix. Lets say the prefix you chose is Prefix1 and Prefix2, then try something like this on your search head.

outputs.conf

[tcpout]
defaultGroup=allIndexers

[tcpout:allIndexers]
server=<indexer1_ip>:<port>, <indexer2_ip>:<port>

[tcpout:indexer1]
server=<indexer1_ip>:<port>

[tcpout:indexer2]
server=<indexer2_ip>:<port>

props.conf

[source::Prefix1...]
TRANSFORMS-sendIdx1= sendToIndexer1

[source::Prefix2...]
TRANSFORMS-sendIdx2= sendToIndexer2

transforms.conf

[sendToIndexer1]
DEST_KEY=_TCP_ROUTING
FORMAT=indexer1

[sendToIndexer2]
DEST_KEY=_TCP_ROUTING
FORMAT=indexer2
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...