Deployment Architecture

Can we install heavy forwarder and indexer on the same machine

New Member

I am trying to set up a lab for my test environment where i want to install indexer and heavy forwarder in the same local machine. Is it possible as i am having some doubt since the splunk enterprise package is also a software , can it be downloaded twice in a single machine and run twice , one to act as a indexer and other for heavy forwarder. Please help

Tags (2)
0 Karma

Communicator

yes, you can set a Heavy Forwarder to index locally and forward data by setting IndexAndforward=true in your outputs.conf but this is NOT recommended behavior in a prod Splunk environment

https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad

0 Karma

Ultra Champion

Is it possible - yes?
Is it sensible, desirable, necessary, "a good idea" - In production, No. Lab/Demo/Test it should be fine.

Yes you can run two (or more) copies of Splunk, but you will need to adjust all the ports it runs on to avoid port clashes.

0 Karma

New Member

Hi Nick,
Thank you. Need a little help, how to adjust the ports i.e. is there any way that before installation only i can change the port numbers. If so could you please guide me on the same.

0 Karma

SplunkTrust
SplunkTrust

If you do not want to define specific ports for second splunk instance then use command $SPLUNK_HOME/bin/splunk start --accept-license --auto-portswhile starting splunk first time and it will automatically pick up next available ports from Splunk default ports.

Ultra Champion

Oh, that's cool - I never knew that!
Thanks Harshil!

0 Karma

SplunkTrust
SplunkTrust

Welcome @nickhillscpl

0 Karma

Ultra Champion

If you are installing on windows, I think the installer prompts you to select the ports as you install.
If you are installing on linux, you are not prompted at all.
What I have done in the past is:
1.)Perform the first install in /opt/splunk then ensure splunk is not running.
2.)Do the second install in /opt/splunkhf also, rpm -i --prefix=/opt/splunkhf splunk_package_name.rpm and ensure splunk is not running.
3.) Edit the ports in server.conf, web.conf for the splunkhf install perhaps 8089-9089, 8000-9000 etc.
4.) Start /opt/splunk
5.) Start /opt/splunkhf and check the console to make sure there are no port clashes.

0 Karma

Ultra Champion

On linux, doesn't splunk complain about ports in use during first start and then let you choose alternative ports?

On windows you're going to run into issues running these instances as a service I believe.

Alternatively: spin up a few VMs, or check out solutions like docker.

0 Karma

Path Finder

Hi,

If you really want that kind of setup then,,

Have you tried creating a VM within that machine and install indexer or heavy forwarder there?

Raj

0 Karma

New Member

Hi Raj,

Thanks for coming back. I have done this kind of setup using AWS where i have made one server as heavy forwarder and one as indexer. Just wanted to know if the above said scenario is possible or there is some ambiguity in it.

0 Karma