If you are a long time enterprise user of the 3.x product, you may have become used to the pull-down menu for distributed searching.   One of the common use cases for this menu was searching specific indexers in your distributed search.   A common question was:  “Can we restrict the server via search syntax?”.   In the 3.3 and 3.4 product, you cannot restrict via syntax through the web interface.   There is a trick you can use via the command line, but that doesn’t help when you want to do this in a saved search.

In the 4.0 release, we have removed the pull-down menu and implemented indexer restrictions with search syntax. The new parameter is called “splunk_server”.   Let’s assume I have a distributed searcher (hostname=searcher1) and three indexers (hostname=indexer1, hostname=indexer2, and hostname=indexer3).  If I am searching for “error” and my goal is to restrict my searches to indexer3, I would use the following query:

splunk_server=indexer3 error

To search anything but indexer3 I would use:

error NOT splunk_server=indexer3

Using this restriction can be useful for tracking specific datacenters, monitoring server health, and securing data (can add this as a filter to a role).  For the complete documentation on this command, see our official documentation:

http://www.splunk.com/base/Documentation/latest/User/SpecifyMultipleServersToSearch

Note:   distributed searching is limited to the Splunk enterprise version.