Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search head for index cluster does not allow me to import data to clustered index?

ianbow_concur
New Member
‎02-10-2018 01:31 PM

We have an index cluster with:
4 x Indexer servers (clustered)
1 x Cluster master
2 x Search head (non clustered SH but added to index cluster)
1 x Heavy forwarder

For investigation I would like to be able to import CSV files to an index in the cluster but the search head web gui does not allow me to select the destination index on the cluster? Yes, I can search the index and return data from searches but I would like to be able to import data manually to the index defining a Source type etc. As the search head despatches the search to the cluster I understand why this is not happening. But why if the search head of heavy forwarder does the web ui not see the indexes? To achieve this I need to setup an input on the heavy forwarder and batch process the files, which is a pain for quick investigation and can be a problem for analysts.

Is there a way to make the web ui aware of the list of indexes in the cluster so we can use the web ui, other than writing a new app?

0 Karma
Reply

ianbow_concur
New Member
‎02-12-2018 01:12 PM

Thanks, Actually I found the easiest way to do this is to create a basic indexes.conf file on the search heads containing the indexes you want to expose as these should be setup best practice to forward all events to the indexers. This way we can expose the various indexes to our analysts via the drop down menu in the web UI for importing data.

Thanks for the quick response.

0 Karma
Reply

markhill1
Path Finder
‎02-10-2018 06:38 PM

No, not really.
I've had this before, I just typed the name of the target index in the box where you should select it and hit continue.
If I remember right you will get a warning message, but continue anyway.
If the index is created and available on the IDX cluster, your data will get there.
Gib

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...