Deployment Architecture

Search head for index cluster does not allow me to import data to clustered index?

ianbow_concur
New Member

We have an index cluster with:
4 x Indexer servers (clustered)
1 x Cluster master
2 x Search head (non clustered SH but added to index cluster)
1 x Heavy forwarder

For investigation I would like to be able to import CSV files to an index in the cluster but the search head web gui does not allow me to select the destination index on the cluster? Yes, I can search the index and return data from searches but I would like to be able to import data manually to the index defining a Source type etc. As the search head despatches the search to the cluster I understand why this is not happening. But why if the search head of heavy forwarder does the web ui not see the indexes? To achieve this I need to setup an input on the heavy forwarder and batch process the files, which is a pain for quick investigation and can be a problem for analysts.

Is there a way to make the web ui aware of the list of indexes in the cluster so we can use the web ui, other than writing a new app?

0 Karma

ianbow_concur
New Member

Thanks, Actually I found the easiest way to do this is to create a basic indexes.conf file on the search heads containing the indexes you want to expose as these should be setup best practice to forward all events to the indexers. This way we can expose the various indexes to our analysts via the drop down menu in the web UI for importing data.

Thanks for the quick response.

0 Karma

markhill1
Path Finder

No, not really.
I've had this before, I just typed the name of the target index in the box where you should select it and hit continue.
If I remember right you will get a warning message, but continue anyway.
If the index is created and available on the IDX cluster, your data will get there.
Gib

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...