Getting Data In

How to add an index to a search head and keep it separate from other search heads?

Log_wrangler
Builder

Hello,

I have a search head that communicates with 3 non-clustered indexers ( autolb distribution of data). Indexed data is distributed evenly across all three indexers.

Now I need to add a remote indexer to the search head but I don't want to add it to the other indexers group. It needs to be separate because the remote indexer is managed by someone else. However I need it to communicate to my search head so I can monitor the data contained in that remote indexer.

How would I set this up?

Thank you

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

I assume, you want your search head to 'search' the data/logs in the newly added indexer. If so, you can add that just like the other indexers via dist search

https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuredistributedsearch

https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Distsearchconf

On the forwarder level, where you define tcpout group, you can decide what logs/data needs to go to new indexer or the old indexers [ 3 non-clustered one].

Do you see any issues with this approach?

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I assume, you want your search head to 'search' the data/logs in the newly added indexer. If so, you can add that just like the other indexers via dist search

https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuredistributedsearch

https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Distsearchconf

On the forwarder level, where you define tcpout group, you can decide what logs/data needs to go to new indexer or the old indexers [ 3 non-clustered one].

Do you see any issues with this approach?

0 Karma

Log_wrangler
Builder

Thank you, I guess in my environment I just need to add the indexer as a "search peer" just wanted to make sure that something was not accidentally created where the remote indexer was auto added/joined to the others in an autolb fashion. But it does not.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...