Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search head for index cluster does not allow me to import data to clustered index?

ianbow_concur
New Member
‎02-10-2018 01:31 PM

We have an index cluster with:
4 x Indexer servers (clustered)
1 x Cluster master
2 x Search head (non clustered SH but added to index cluster)
1 x Heavy forwarder

For investigation I would like to be able to import CSV files to an index in the cluster but the search head web gui does not allow me to select the destination index on the cluster? Yes, I can search the index and return data from searches but I would like to be able to import data manually to the index defining a Source type etc. As the search head despatches the search to the cluster I understand why this is not happening. But why if the search head of heavy forwarder does the web ui not see the indexes? To achieve this I need to setup an input on the heavy forwarder and batch process the files, which is a pain for quick investigation and can be a problem for analysts.

Is there a way to make the web ui aware of the list of indexes in the cluster so we can use the web ui, other than writing a new app?

0 Karma
Reply

ianbow_concur
New Member
‎02-12-2018 01:12 PM

Thanks, Actually I found the easiest way to do this is to create a basic indexes.conf file on the search heads containing the indexes you want to expose as these should be setup best practice to forward all events to the indexers. This way we can expose the various indexes to our analysts via the drop down menu in the web UI for importing data.

Thanks for the quick response.

0 Karma
Reply

markhill1
Path Finder
‎02-10-2018 06:38 PM

No, not really.
I've had this before, I just typed the name of the target index in the box where you should select it and hit continue.
If I remember right you will get a warning message, but continue anyway.
If the index is created and available on the IDX cluster, your data will get there.
Gib

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...