TIPS & TRICKS

Distributed searching

If you are a long time enterprise user of the 3.x product, you may have become used to the pull-down menu for distributed searching. One of the common use cases for this menu was searching specific indexers in your distributed search. A common question was: “Can we restrict the server via search syntax?”. In the 3.3 and 3.4 product, you cannot restrict via syntax through the web interface. There is a trick you can use via the command line, but that doesn’t help when you want to do this in a saved search.

In the 4.0 release, we have removed the pull-down menu and implemented indexer restrictions with search syntax. The new parameter is called “splunk_server”. Let’s assume I have a distributed searcher (hostname=searcher1) and three indexers (hostname=indexer1, hostname=indexer2, and hostname=indexer3). If I am searching for “error” and my goal is to restrict my searches to indexer3, I would use the following query:

splunk_server=indexer3 error

To search anything but indexer3 I would use:

error NOT splunk_server=indexer3

Using this restriction can be useful for tracking specific datacenters, monitoring server health, and securing data (can add this as a filter to a role). For the complete documentation on this command, see our official documentation:

http://www.splunk.com/base/Documentation/latest/User/SpecifyMultipleServersToSearch

Note: distributed searching is limited to the Splunk enterprise version.

Simeon Yep
Posted by

Simeon Yep

Join the Discussion