Our environment includes both an index and a search head cluster. Following the distributed environment installation guide for the Splunk App for AWS we installed the Splunk App for AWS on the Splunk Add-on for AWS on the Search Heads, the Splunk Add-on for AWS on the indexers (deployed via the cluster manager) and we've deployed a heavy forwarder with the Splunk Add-on for AWS.
We configured the heavy forwarder to allow us to use the Splunk App on the SHC members to configure the various inputs. Data flows from the heavy forwarder to the indexer cluster (load-balanced and over SSL to boot!) and we can query that data via the SHC members, however all of that data is being sent to the main index. We created a new index in the index cluster called AWS and wanted to send the data there, but when we use the Splunk App for AWS on the Search Head cluster to configure the inputs to send data to the new index, we don't have this new AWS index as an option.
We tried creating the index on the heavy forwarder, but we were still unable to see it on the SHC members to assign the AWS inputs to it.
↧