Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where should we upload a file to index the data in an indexer cluster?

rangineniarunku
Explorer
‎07-14-2017 02:13 PM

We are using clustered environment with multiple indexers and single Search head. I want to upload a file which needs to be indexed in all the indexers. Where should I upload it SearchHead or Cluster Master to reflect in all the indexers?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-14-2017 03:11 PM

I would recommend you upload form the search head, but you need to ensure you confirm that the search head is configured with an ouputs.conf and is forwarding to the indexers. It is best practice, that all your splunk instances other than indexers* have a outputs.conf and forward their logs or any data uploaded to the indexers.

You can read the following article and think of your search head as a "Heavy Forwarder":
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Deployaheavyforwarder

As long as you have an outputs.conf on the search head, uploading form there will be fine.

Now, when you upload the file, it will be sent to ONE indexer, indexed, and replicated based on your Replication Factor/Search Factor in the cluster.

When you say "all indexers", do really mean every single indexer? Are we talking about a file that needs to be indexed? or a file that needs to be provided to each indexer...Because if it's the later, you simply need to send the file to the indexers in an app from the Cluster Master by pushing a cluster bundle.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Updatepeerconfigurations

  • there are certain scenarios where indexers might have outputs to 3rd party systems but thats beyond the scope of this answer
- MattyMo
0 Karma
Reply

rangineniarunku
Explorer
‎07-14-2017 10:05 PM

I want to upload a file that needs to be indexed and make sure it available in all the indexers as we are using clustered environment.

0 Karma
Reply

davidmills
Explorer
‎02-21-2019 05:10 PM

We have a cluster of 3 Search Heads. Does the same still apply. Do we load the file to one of the 3 and index from there?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-15-2017 10:43 AM

The follow the first part of my answer above and add the data from the Search Head.

The Cluster will ensure the data is replicated accordingly.

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...