|
Hello, I'm looking to set up our search head to send summary index data it generates back to our indexers in a distributed environment. I found the following question, and I understand the theory of the answer. However, I don't know specifically how to set up the search head as a forwarder and how to tell it to forward the summaries generated instead of indexing them. http://answers.splunk.com/questions/5837/summary-indexing-on-a-search-head Furthermore, is Splunk intelligent enough to determine that summaries generated by a search head and then forwarded back down to our indexers are summaries and therefore not count them toward our license? Thanks for any guidance. |
|
Hi Matt - Having gone through this before, I can say that anything forwarded from the Search head to the indexers is NOT counted toward your license cost. You can even set up the Search head to use the forwarder license included with the app. With regards to setting up the Search head as a forwarder, it's the same process as you would use for any other forwarder. You can find the details here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Setupforwardingandreceiving#Set_up_forwarding_and_receiving:_heavy_or_light_forwarders. Now, there's one caveat. If you use custom named summary indexes, you'll have to make sure they're created in the indexes.conf on the Indexers as well. Hope this helps! Brian Excellent. That's exactly what I was looking for, and I forgot to mention that we do use custom named summary indexes. I will try the setup as you suggest and report back. Thanks!
(02 Nov '10, 19:47)
mattcg
1
Not
(14 Apr '11, 15:39)
Jason
|
