Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Distributed Summary indexing - Search head and indexer on 4.2

Starlette
Contributor
‎03-15-2011 03:29 PM

Hai there,

How do have to deal with this on 4.2? Cause in 4.2 you have to run the search head as a member of the pool ( slave license node) ( http://www.splunk.com/base/Documentation/latest/Deploy/Installadedicatedsearchhead )

I am rolling out now this setup with the cisco security app, and am not sure how to go on. * want custom summary indexes btw, from the cisco security app due rolles/users.

pre 4.2 answers :

http://answers.splunk.com/questions/7810/app-installation-scheduled-searches-summary-index-and-searc...

http://answers.splunk.com/questions/5837/summary-indexing-on-a-search-head

http://answers.splunk.com/questions/8613/distributed-summary

thanks!

0 Karma
Reply

rbal_splunk
Splunk Employee
Splunk Employee
‎07-29-2014 03:11 PM

The Information provided above for Summary Indexing is true in Splunk Clustered environment.

Below are the steps that I used to test it in my Clustered environment on Splunk version 6.0.4.

In my clustered test environment I have Cluster master (Name:CM604) Cluster peer 1 (Name :peer1604) Cluster peer 2 (Name :peer2604) Search Head 1 (Name sh604) Search Head 2 (Name sh2604)

1) Search Head 1 is setup to "forwarder" all the data to the Cluster Peers.
2) For my test - used index=testsummary for summary indexing.
3) Deployed custom index=testsummary from cluster master to cluster Peer Using indexes.conf).
4) Create custom index on "Search Head 1 " where summary Indexing is to be performed.
5) Defined Saved search on "Search Head 1 " , which will use custom index= testsummary for summary indexing. The "search head 1" Perform summary and forward the data to the Cluster Peers.
6) This data is searchable from both "Search Head 1 " and "Search Head 2 "

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-29-2013 03:49 PM

for summary indexing, in a distributed environment, you need :

  • the summary index created on the search-head and on every indexers
  • the search head configured to forward all the data to the indexers (load balancer if needed), see manager > forwarding
  • the app and summary searches installed on the search-head.

The populating searches will run on the search-head, the results be written to the local spooler, then monitored, parsed locally, then forwarded to the indexers and stored on the indexes on the indexers.
Then when searching on the summarized data, it will act like a distributed search, and the results will be returned by the indexers.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...