Can I store data at the index layer so isolated se...

brent_weaver · ‎08-29-2017

I am building up Splunk content for our product in Splunk. I am building a dashboard to count events, which are many. I want to use kvstore to store this info and then have the app use the lookup to get this data. I have played a bit with kvstore and do understand how to do this but need advice on setup.

We have multiple search heads, how do I store the data at the index layer so the other [isolated] search heads can access them without having the query running locally? It seems that I can enable replication?

What config files do I need to setup? Seems that I need to do collections.conf and transforms.conf. Is this correct?

I assume I can store a field as time/date?

Any help/advice is welcome!

markusspitzli2 · ‎08-31-2017

yes. you have to create a new summary index and store the data in it. every searchhead should be abe to access the data and create its own lookupfile if you want.

brent_weaver · ‎08-31-2017

I am not opposed to that but then I need to create the summary index right?

markusspitzli2 · ‎08-31-2017

hey.
why not store the events in a summary index instead of the kvstore?

Can I store data at the index layer so isolated search heads can access it?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms