I am trying to set up a lab for my test environment where i want to install indexer and heavy forwarder in the same local machine. Is it possible as i am having some doubt since the splunk enterprise package is also a software , can it be downloaded twice in a single machine and run twice , one to act as a indexer and other for heavy forwarder. Please help
yes, you can set a Heavy Forwarder to index locally and forward data by setting IndexAndforward=true in your outputs.conf but this is NOT recommended behavior in a prod Splunk environment
Is it possible - yes?
Is it sensible, desirable, necessary, "a good idea" - In production, No. Lab/Demo/Test it should be fine.
Yes you can run two (or more) copies of Splunk, but you will need to adjust all the ports it runs on to avoid port clashes.
Thank you. Need a little help, how to adjust the ports i.e. is there any way that before installation only i can change the port numbers. If so could you please guide me on the same.
If you do not want to define specific ports for second splunk instance then use command
$SPLUNK_HOME/bin/splunk start --accept-license --auto-portswhile starting splunk first time and it will automatically pick up next available ports from Splunk default ports.
If you are installing on windows, I think the installer prompts you to select the ports as you install.
If you are installing on linux, you are not prompted at all.
What I have done in the past is:
1.)Perform the first install in /opt/splunk then ensure splunk is not running.
2.)Do the second install in /opt/splunkhf also,
rpm -i --prefix=/opt/splunkhf splunk_package_name.rpm and ensure splunk is not running.
3.) Edit the ports in server.conf, web.conf for the splunkhf install perhaps 8089-9089, 8000-9000 etc.
4.) Start /opt/splunk
5.) Start /opt/splunkhf and check the console to make sure there are no port clashes.
On linux, doesn't splunk complain about ports in use during first start and then let you choose alternative ports?
On windows you're going to run into issues running these instances as a service I believe.
Alternatively: spin up a few VMs, or check out solutions like docker.
Thanks for coming back. I have done this kind of setup using AWS where i have made one server as heavy forwarder and one as indexer. Just wanted to know if the above said scenario is possible or there is some ambiguity in it.