My app includes the definition of a summary index in indexes.conf. When I am providing a copy of the app for clustered/distributed Splunk Enterprise environments, I like to split the app into two versions: one for the search heads and one for the indexers.
Regarding the summary index definition in indexes.conf, should I include the definition in the search head version of the app or the indexer version of the app? Does it matter either way? Should I only include it in the indexer version if the environment is configured to index the summary data on the indexers (i.e., the outputs.conf is configured to forward summary data to the indexers)?
↧