I have a 10Gb license. I already have an Indexer but I need now a search head.
How many resources I need? Right now I have one indexer, but in the future, I will have more.
Where can I find a procedure about how to install and configure a search head?
Thank you a lot!
To install a SH , you just simply install a regular splunk enterprise instance and then configure distributed search. If its a standalone. If its a clustered environment than you have to adjust this a little bit after intallation.
I would recommend that you review this document :
https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Overviewofconfiguration ( dont forget to adjust this to your splunk version, with the dropdown on the top of the page)
Within this you will also find
System requirements and other deployment considerations for distributed search ( how to set up your SH) https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Distsearchsystemrequirements
General system requirements : https://docs.splunk.com/Documentation/Splunk/7.2.3/Installation/Systemrequirements
I have a fast question. The search head have to be in a diferent server from my indexer server? Maybe it's a stupid quiestion but it's my very first time.
My licese is actually in the indexer server. I hace my splunk web there.
So at the moment you have a standalone splunk instance??, so it will have all the roles, SH, Indexer, License Master.
Best Practises is to have a dedicated server for each role, but this is depending on the size of your environment. So if you want to use this standalone as your Search Head you don´t have to set up distributed search. Just use the Search & Reproting app to search your events.
Yeah that´s it.
Actually I have a stand alone server.
My plan is to distribute it.
I need harware resources for my SH( I think 4 CPU and 8 RAM) will be okey.
for hardware requirements. When you set up your SH, as said, just simply install your splunk enterprise instance and setup distributed search.
Even if its not functioning as an Indexer, you have to have a valid license for your SH. So you have to configure it as a license slave : https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Configurealicenseslave
You can install splunk the same way you did for indexer and then for configuration of search head refer this doc:
In future you would have to go with splunk indexer cluster and search head cluster.
let me know if this helps!
Oh, thank you!
Just one more question! Hoy about my license? If a install it in my indexer I wuold install it again in the search head??