https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371727#M67469 <P>Taking into account the info provided above regarding system requirements and architecture, if you want a search head, an indexer, and a forwarder, here are some notes that might help you get up and rolling quickly. I would recommend reading the docs on this as well so you understand it more deeply, but this will be sort of a quick start.</P> <UL> <LI>Install Indexers</LI> <LI>Change default password on each Indexer (required for Search Head to connect)</LI> <LI>Install Search Head</LI> <LI>Install Licenses on Search Head (License Master)</LI> <LI>Configure each Indexer as a License Slave <UL> <LI>Settings &gt; Licensing</LI> <LI>Click Change to slave</LI> <LI>Click Designate a different Splunk instance as the master license server radio button</LI> <LI>Specify the IP/Hostname and Splunk management port (8089 by default)</LI> <LI>Save</LI> </UL></LI> <LI>Establish connections from Search Head to all Search Peers. This is the key step. <UL> <LI>Distributed search &gt; Search peers &gt; Add New</LI> <LI>Specify the search peer, along with any authentication settings</LI> <LI>Save</LI> </UL></LI> <LI><P>Install Universal Forwarders and configure to send to all Search Peers</P> <UL> <LI><P>Example Universal Forwarder outputs.conf<BR /> [tcpout]<BR /> defaultGroup = my_search_peers</P> <P>[tcpout:my_search_peers]<BR /> server=10.10.10.1:9997,10.10.10.2:9997<BR /><BR /> autoLB = true</P></LI> </UL></LI> <LI><P>Forward internal SH data to the indexer tier.</P> <UL> <LI>Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.</LI> <LI>Set SH up to Forward to all Search Peers.</LI> <LI>Example outputs.conf</LI> <LI><H1>Turn off indexing on the search head</H1> <P>[indexAndForward]<BR /> index = false</P> <P>[tcpout]<BR /> defaultGroup = my_search_peers<BR /> forwardedindex.filter.disable = true<BR /> indexAndForward = false</P> <P>[tcpout:my_search_peers]<BR /> server=10.10.10.1:9997,10.10.10.2:9997<BR /><BR /> autoLB = true</P></LI> </UL></LI> </UL> Tue, 29 Sep 2020 16:04:47 GMT kmorris_splunk 2020-09-29T16:04:47Z https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371722#M67464 <P>Hello every body ,</P> <P>I have to deploy 3 virtual machines to set up an architecture containing a forwarder, indexer and header.<BR /> I am new on splunk side integration.</P> <P>Can anyone give me his idea?</P> <P>thank you in advance</P> Mon, 02 Oct 2017 15:57:05 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371722#M67464 ALLIACOM 2017-10-02T15:57:05Z https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371723#M67465 <P>I would suggest reading this</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Advancedindexingstrategy#Deploy_indexers_in_a_distributed_environment">http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Advancedindexingstrategy#Deploy_indexers_in_a_distributed_environment</A></P> Mon, 02 Oct 2017 16:31:42 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371723#M67465 somesoni2 2017-10-02T16:31:42Z https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371724#M67466 <P>First off, I am guessing you mean a Forwarder, Indexer and Search Head..</P> <P>What are you looking for help with? Sizing for the VMs? </P> Mon, 02 Oct 2017 17:16:58 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371724#M67466 darrenfuller 2017-10-02T17:16:58Z https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371725#M67467 <P>With Splunk you have two ways to approach the architecture, with a standalone Splunk instance or a distributed set-up. It's much simpler to start with the standalone one, so, that's probably your best choice to begin with.</P> Mon, 02 Oct 2017 18:45:48 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371725#M67467 ddrillic 2017-10-02T18:45:48Z https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371726#M67468 <P>The answer is going to depend on exactly what you are trying to do, you will need to meet the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements">system requirements for Splunk</A></P> <P>There are conference talks about sizing, for <A href="https://conf.splunk.com/session/2015/conf2015_SYep_Splunk_Deploying_ArchitectingandSizingyourSplunkDeployment.pdf">example from 2015</A><BR /> There is also the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Capacity/IntroductiontocapacityplanningforSplunkEnterprise">capacity planning</A> documentation and the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonLinux">installation manual</A> among many others. I built all my Splunk instances from reading the excellent documentation so that would be a good place to start...</P> <P>The conf 2017 slides are not uploaded yet but there were a few talks about using docker instances to create Splunk test environments.<BR /> You could in your example build 1 Splunk indexer, 1 Splunk search head (distributed Splunk architecture) and your remaining server could be a Splunk heavy forwarder or just a universal forwarder.<BR /> Or you could just build a single Splunk instance which is indexer/search head and have just 1 server, it is going to depend on what you are attempting to do.</P> <P>Alternatively you could look at building an indexer cluster which would require 1 server for cluster master and multiple indexers (or peer nodes).</P> Tue, 03 Oct 2017 13:21:36 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371726#M67468 gjanders 2017-10-03T13:21:36Z https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371727#M67469 <P>Taking into account the info provided above regarding system requirements and architecture, if you want a search head, an indexer, and a forwarder, here are some notes that might help you get up and rolling quickly. I would recommend reading the docs on this as well so you understand it more deeply, but this will be sort of a quick start.</P> <UL> <LI>Install Indexers</LI> <LI>Change default password on each Indexer (required for Search Head to connect)</LI> <LI>Install Search Head</LI> <LI>Install Licenses on Search Head (License Master)</LI> <LI>Configure each Indexer as a License Slave <UL> <LI>Settings &gt; Licensing</LI> <LI>Click Change to slave</LI> <LI>Click Designate a different Splunk instance as the master license server radio button</LI> <LI>Specify the IP/Hostname and Splunk management port (8089 by default)</LI> <LI>Save</LI> </UL></LI> <LI>Establish connections from Search Head to all Search Peers. This is the key step. <UL> <LI>Distributed search &gt; Search peers &gt; Add New</LI> <LI>Specify the search peer, along with any authentication settings</LI> <LI>Save</LI> </UL></LI> <LI><P>Install Universal Forwarders and configure to send to all Search Peers</P> <UL> <LI><P>Example Universal Forwarder outputs.conf<BR /> [tcpout]<BR /> defaultGroup = my_search_peers</P> <P>[tcpout:my_search_peers]<BR /> server=10.10.10.1:9997,10.10.10.2:9997<BR /><BR /> autoLB = true</P></LI> </UL></LI> <LI><P>Forward internal SH data to the indexer tier.</P> <UL> <LI>Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.</LI> <LI>Set SH up to Forward to all Search Peers.</LI> <LI>Example outputs.conf</LI> <LI><H1>Turn off indexing on the search head</H1> <P>[indexAndForward]<BR /> index = false</P> <P>[tcpout]<BR /> defaultGroup = my_search_peers<BR /> forwardedindex.filter.disable = true<BR /> indexAndForward = false</P> <P>[tcpout:my_search_peers]<BR /> server=10.10.10.1:9997,10.10.10.2:9997<BR /><BR /> autoLB = true</P></LI> </UL></LI> </UL> Tue, 29 Sep 2020 16:04:47 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-architecture-feedback/m-p/371727#M67469 kmorris_splunk 2020-09-29T16:04:47Z