https://community.splunk.com/t5/Deployment-Architecture/How-to-connect-search-head-to-new-indexer-in-a-distributed/m-p/502058#M17217 <P>You have it right. Go to Settings-&gt;Distributed search and add the existing indexer as a search peer.<BR /> Keep in mind that every search run on the two search heads takes up a CPU on the indexer so be careful not to allow Dev to affect the performance of Prod by running a lot of searches and using up resources on the indexer.</P> Tue, 15 Oct 2019 18:35:48 GMT richgalloway 2019-10-15T18:35:48Z https://community.splunk.com/t5/Deployment-Architecture/How-to-connect-search-head-to-new-indexer-in-a-distributed/m-p/502057#M17216 <P>Hi all,</P> <P>Currently, our Splunk dev environment consists of a standalone instance that is both our indexer and search head. <BR /> What I am trying to do is set up a new search head that will connect to our production environment indexer, essentially mimicking production in development. I have a brand new instance that I just got set up that will act as a standalone search head. <BR /> From here, would I add the indexer as a search peer in a distributed search? <BR /> I'm only about a week into learning Splunk, so this stuff definitely confuses me a bit which is why I decided to ask on here. </P> <P>Please let me know what you guys think is the best solution here.</P> Tue, 15 Oct 2019 15:46:35 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-connect-search-head-to-new-indexer-in-a-distributed/m-p/502057#M17216 maxguttsait 2019-10-15T15:46:35Z https://community.splunk.com/t5/Deployment-Architecture/How-to-connect-search-head-to-new-indexer-in-a-distributed/m-p/502058#M17217 <P>You have it right. Go to Settings-&gt;Distributed search and add the existing indexer as a search peer.<BR /> Keep in mind that every search run on the two search heads takes up a CPU on the indexer so be careful not to allow Dev to affect the performance of Prod by running a lot of searches and using up resources on the indexer.</P> Tue, 15 Oct 2019 18:35:48 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-connect-search-head-to-new-indexer-in-a-distributed/m-p/502058#M17217 richgalloway 2019-10-15T18:35:48Z https://community.splunk.com/t5/Deployment-Architecture/How-to-connect-search-head-to-new-indexer-in-a-distributed/m-p/502059#M17218 <P>Use the CLI<BR /> To add a search peer, run this command from the search head:</P> <P>splunk add search-server ://: -auth : -remoteUsername -remotePassword </P> <P>Note the following: </P> <OL> <LI> is the URI scheme: "http" or "https".</LI> <LI> is the host name or IP address of the search peer's host machine.</LI> <LI> is the management port of the search peer.</LI> <LI>Use the -auth flag to provide credentials for the search head.</LI> <LI><P>Use the -remoteUsername and -remotePassword flags for the credentials for the search peer. The<BR /> remote credentials must be for an admin-level user on the search peer.</P> <P>For example:</P> <P>splunk add search-server <A href="https://192.168.1.1:8089">https://192.168.1.1:8089</A> -auth admin:password -remoteUsername admin -remotePassword passremote<BR /> You must run this command for each search peer that you want to add.</P></LI> </OL> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/Configuredistributedsearch">https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/Configuredistributedsearch</A> </P> <P>You can refer to the above link.</P> <P>Hope this help, Thanks !</P> Tue, 15 Oct 2019 20:11:27 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-connect-search-head-to-new-indexer-in-a-distributed/m-p/502059#M17218 sandeepmakkena 2019-10-15T20:11:27Z