Deployment Architecture

Attributes to be set in distsearch.conf


I read that the distsearch.conf is to configure only distributed search.
In order to set the distributed search , I have set the distsearch.conf ENABLED in my Splunkweb(Search head).
It creates the file in the Search head --> (distsearch.conf)

In my deployment , I have

deployment server-1

heavy forwarder-1

Indexers -2

Do i need to add all the Splunk instance(incl. forwarder,deployment server) in 'servers' attribute ? or only the search head IPs ?


 #This file contains possible attributes and values you can use to configure distributed search.
servers = 10.x.x.x:8089,10.x.x.x:8089
0 Karma


In distsearch.conf

in Servers you need to add only search-peers(Indexers or where data is being stored)

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...