Hi,
I have built an app that aggregates data into a summary index. The app also provides a query that searches for the data in the summary index and displays it. When running the app on one single search head everything works fine.
The problem is that I have two search heads and the app should run on the other search head as well. Both search heads also have the "other" search head configured as a search peer in distributed search.
So here is the problem:
When the query runs from the app on the first search head it searches for data from index=my_summary_index. Since the app also runs on the other search head we also have such a summary index on that other indxer too. Both indexes are returning data and thus duplicate the results.
How can I prevent results from the "other" search head to pollute my query? How can I find out the hostname or splunk_server of the search head "this" query is running on?
splunk_server=local
will give results from only the current search head.
Note, however, that you can have your search head behave as a forwarder (with an outputs.conf pointing at your indexers), and that the summary indexing data from search head #1 will also be sent there. This means that both (or all, if you expand the number of search heads) will be able to see the summary data.
splunk_server=local
will give results from only the current search head.
Note, however, that you can have your search head behave as a forwarder (with an outputs.conf pointing at your indexers), and that the summary indexing data from search head #1 will also be sent there. This means that both (or all, if you expand the number of search heads) will be able to see the summary data.