Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Given two standalone Splunk environments, can I point one instance to search the other instance in addition to its own instance?

carlkennedy
Path Finder
‎03-09-2017 09:16 AM

I am working with two Splunk standalone environments where each environment is a single server that acts as search head and indexer. Users currently have to log into both environments to run reports. They want to only log into one server and run a combined report. I understand that the optimal solution is to have one environment but this is not currently possible. Can I update the distributed search settings in System A to search both itself and also System B? Looking at the docs for distributed search I see this line:

Important: A search head cannot perform a dual function as a search peer.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-09-2017 09:26 AM

You can add Standalone box B as search peer to Standalone box A. Again, it's not recommended that you have an indexer also work as search head (system B here) as it will increase load on that servers. Temporary this could work, but long term and to have robust SPlunk deployment, I would consider you reading these resources and re-architect your environment(s).

https://conf.splunk.com/session/2014/conf2014_KarandeepBains_Splunk_Deploying.pdf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Referencehardware

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2017 09:39 AM

You cannot chain your search heads but you can have Search Head A talk to both his own Indexer Tier A and also any other Indexer Tier. You simply login to Search Head A and go to Settings -> Distributed Search -> New and add each Indexer from Tier B as a Search Peer. That's it. Now you are searching against both systems.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-09-2017 09:26 AM

You can add Standalone box B as search peer to Standalone box A. Again, it's not recommended that you have an indexer also work as search head (system B here) as it will increase load on that servers. Temporary this could work, but long term and to have robust SPlunk deployment, I would consider you reading these resources and re-architect your environment(s).

https://conf.splunk.com/session/2014/conf2014_KarandeepBains_Splunk_Deploying.pdf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Referencehardware

0 Karma
Reply
Solved! Jump to solution

carlkennedy
Path Finder
‎03-09-2017 10:52 AM

Thanks for the quick response.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...