topic Re: search on distributed splunk servers in Splunk Search

search on distributed splunk servers

shangshin — Tue, 15 May 2012 16:12:11 GMT

Hi,
I installed splunk on 2 servers, e.g. abc and xyz and I am able to access it from http://abc:8000/ and http://xyz:8000/

So the question is how can I perform a search on http://abc:8000/ and the search universe including both abc and xyz.

I tried to enter splunk_server=xyz on http://abc:8000/ but no data is returned. Thanks!

Re: search on distributed splunk servers

bjalex80 — Tue, 15 May 2012 16:25:43 GMT

You need to set up the distsearch.conf on each server if you want to query data from both of them. See the documentation on distributed search: http://docs.splunk.com/Documentation/Splunk/4.3.2/Deploy/Configuredistributedsearch

Re: search on distributed splunk servers

kristian_kolb — Tue, 15 May 2012 16:29:38 GMT

You go into Manager -> Distributed Search -> Search Peers -> Add

Then you fill out the form and press Save. You need to know the admin-password for the Splunk server you are connecting to, and they need to be able to communicate on port 8089 (or whatever you changed it to (if you did)).

For more information see the docs,

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuredistributedsearch

Hope this helps,

Kristian

Re: search on distributed splunk servers

shangshin — Tue, 15 May 2012 18:46:42 GMT

Thanks for the advice. I followed your instruction and see all the data is available on one server. I assume by adding a peer server, I am able to search data across distributed splunk server.

However, lookup fields or sourcetype created on distributed server won't be visiable on the local server. Is that correct?

Re: search on distributed splunk servers

kristian_kolb — Tue, 15 May 2012 20:27:42 GMT

No, but you can do the same configuration on the other server, i.e. tell it to use the other as a search peer.

Then they can search each other, but they will not share configs for field extractions, lookups, saved searches etc etc.