Deployment Architecture

Cluster question

dolejh76
Communicator

We have a server in Omaha and a server in Jacksonville.

Currently all items are forwarded to Omaha so when I log into Omaha I can see Omaha and Jacksonville. When I log into Jacksonville I cant see anything.

How do I set it so that in Jacksonville I can see Jacksonville. I don't want to replicate all Omaha indexes to Jacksonville, but I would like to be able to see Jacksonville when logged into Jacksonville.

Thanks
John

Tags (1)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Sounds to me like you are not indexing in Jacksonville, you are just forwarding events.

You either need to index and forward events from Jacksonville, or you need setup distributed search from the Jacksonville instance(s).

Read this : https://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/Configuredistributedsearch

What you want to do is add the Omaha indexer as a peer to Jacksonville. Be aware there are some bandwidth and latency issues to be considerate of...

0 Karma

dolejh76
Communicator

Ill take a look - thanks

0 Karma

somesoni2
Revered Legend

Does your search head has both Omaha and Jacksonville indexers added as Search Peer?

0 Karma

dolejh76
Communicator

Logged into Omaha - I see Jax as a Peer, and Omaha as a search head.

0 Karma

somesoni2
Revered Legend

What you do see in Jacksonville? Do you see Omaha as Peer?

0 Karma

dolejh76
Communicator

If I log into Jax - I just see - Clustering: Peer Node and Jax.

0 Karma

mrgibbon
Contributor

Sounds like you need to add Omaha as a search peer on the Jax machine.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...