Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Given two standalone Splunk environments, can I point one instance to search the other instance in addition to its own instance?

carlkennedy
Path Finder
‎03-09-2017 09:16 AM

I am working with two Splunk standalone environments where each environment is a single server that acts as search head and indexer. Users currently have to log into both environments to run reports. They want to only log into one server and run a combined report. I understand that the optimal solution is to have one environment but this is not currently possible. Can I update the distributed search settings in System A to search both itself and also System B? Looking at the docs for distributed search I see this line:

Important: A search head cannot perform a dual function as a search peer.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-09-2017 09:26 AM

You can add Standalone box B as search peer to Standalone box A. Again, it's not recommended that you have an indexer also work as search head (system B here) as it will increase load on that servers. Temporary this could work, but long term and to have robust SPlunk deployment, I would consider you reading these resources and re-architect your environment(s).

https://conf.splunk.com/session/2014/conf2014_KarandeepBains_Splunk_Deploying.pdf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Referencehardware

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2017 09:39 AM

You cannot chain your search heads but you can have Search Head A talk to both his own Indexer Tier A and also any other Indexer Tier. You simply login to Search Head A and go to Settings -> Distributed Search -> New and add each Indexer from Tier B as a Search Peer. That's it. Now you are searching against both systems.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-09-2017 09:26 AM

You can add Standalone box B as search peer to Standalone box A. Again, it's not recommended that you have an indexer also work as search head (system B here) as it will increase load on that servers. Temporary this could work, but long term and to have robust SPlunk deployment, I would consider you reading these resources and re-architect your environment(s).

https://conf.splunk.com/session/2014/conf2014_KarandeepBains_Splunk_Deploying.pdf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Referencehardware

0 Karma
Reply
Solved! Jump to solution

carlkennedy
Path Finder
‎03-09-2017 10:52 AM

Thanks for the quick response.

0 Karma
Reply
Get Updates on the Splunk Community!

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...