We have an index cluster with:
4 x Indexer servers (clustered)
1 x Cluster master
2 x Search head (non clustered SH but added to index cluster)
1 x Heavy forwarder
For investigation I would like to be able to import CSV files to an index in the cluster but the search head web gui does not allow me to select the destination index on the cluster? Yes, I can search the index and return data from searches but I would like to be able to import data manually to the index defining a Source type etc. As the search head despatches the search to the cluster I understand why this is not happening. But why if the search head of heavy forwarder does the web ui not see the indexes? To achieve this I need to setup an input on the heavy forwarder and batch process the files, which is a pain for quick investigation and can be a problem for analysts.
Is there a way to make the web ui aware of the list of indexes in the cluster so we can use the web ui, other than writing a new app?
Thanks, Actually I found the easiest way to do this is to create a basic indexes.conf file on the search heads containing the indexes you want to expose as these should be setup best practice to forward all events to the indexers. This way we can expose the various indexes to our analysts via the drop down menu in the web UI for importing data.
Thanks for the quick response.
No, not really.
I've had this before, I just typed the name of the target index in the box where you should select it and hit continue.
If I remember right you will get a warning message, but continue anyway.
If the index is created and available on the IDX cluster, your data will get there.
Gib