Search across one or multiple distributed servers
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
Contents
Search across one or multiple distributed servers
You can restrict your searches to specific distributed search servers by default and in your saved and scheduled searches. The name of your Splunk servers are saved as values in the "splunk_server" field.
If no Splunk server is specified, your search accesses all search servers you have have permission to access. The default servers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in the Admin manual.
The ability to restrict your searches to specific servers can be useful when there is high latency to certain search servers and you do not want to search them by default. When you specify one or more servers, those are the only servers that are included in the search.
You can specify different servers to search in the same way that you specify other field names and values. In this case, the field name is "splunk_server" and the field value is the name of a particular distributed server:
splunk_server=<server_name>
Note: You can use the value "local" to refer to the splunk server that you are searching from.
splunk_server=localKeep in mind that field names are case sensitive; Splunk will not recognize a field name if the case doesn't match.
Examples
Example 1: Return results from specified servers.
error (splunk_server=NYsplunk OR splunk_server=CAsplunk) NOT splunk_server=TXsplunkExample 2: Search different indexes on distributed Splunk servers "foo" or "bar".
(splunk_server=foo index=main 404 ip=10.0.0.0/16) OR (splunk_server=bar index=mail user=admin)