Splunk Cloud Platform

Search Manual

Search across one or more distributed search peers

When performing a distributed search from a search head, you can restrict your searches to specific search peers (also known as "indexer nodes") by default and in your saved and scheduled searches. The names of your Splunk search peers are saved as values in the "splunk_server" field. For more information about distributed search, see "About distributed search" in the Distributed Search manual.

If no search peer is specified, your search accesses all search peers you have permission to access. The default peers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in Securing Splunk Enterprise.

The ability to restrict your searches to specific peers can be useful when there is high latency to certain search peers and you do not want to search them by default. When you specify one or more peers, those are the only servers that are included in the search.

You can specify different peers to search in the same way that you specify other field names and values. In this case, the field name is "splunk_server" and the field value is the name of a particular distributed peer:

splunk_server=<peer_name>

Note: You can use the value "local" to refer to the Splunk instance that you are searching from; in other words, the search head itself.

splunk_server=local

Keep in mind that field names are case sensitive; Splunk will not recognize a field name if the case doesn't match.

Examples

Example 1: Return results from specified search peers.

error (splunk_server=NYsplunk OR splunk_server=CAsplunk) NOT splunk_server=TXsplunk

Example 2: Search different indexes on distributed search peers "foo" or "bar".

(splunk_server=foo index=main 404 ip=10.0.0.0/16) OR (splunk_server=bar index=mail user=admin)

Last modified on 23 June, 2016
Retrieve events from indexes   Classify and group similar events

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters