I am building up Splunk content for our product in Splunk. I am building a dashboard to count events, which are many. I want to use kvstore to store this info and then have the app use the lookup to get this data. I have played a bit with kvstore and do understand how to do this but need advice on setup.
We have multiple search heads, how do I store the data at the index layer so the other [isolated] search heads can access them without having the query running locally? It seems that I can enable replication?
What config files do I need to setup? Seems that I need to do collections.conf and transforms.conf. Is this correct?
I assume I can store a field as time/date?
Any help/advice is welcome!
yes. you have to create a new summary index and store the data in it. every searchhead should be abe to access the data and create its own lookupfile if you want.
I am not opposed to that but then I need to create the summary index right?
hey.
why not store the events in a summary index instead of the kvstore?