Deployment Architecture

How do you install a search head?

christianubeda
Path Finder

Hi team!

I have a 10Gb license. I already have an Indexer but I need now a search head.

How many resources I need? Right now I have one indexer, but in the future, I will have more.

Where can I find a procedure about how to install and configure a search head?

Thank you a lot!

0 Karma
1 Solution

dkeck
Influencer

HI

To install a SH , you just simply install a regular splunk enterprise instance and then configure distributed search. If its a standalone. If its a clustered environment than you have to adjust this a little bit after intallation.

I would recommend that you review this document :

https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Overviewofconfiguration ( dont forget to adjust this to your splunk version, with the dropdown on the top of the page)

Within this you will also find
System requirements and other deployment considerations for distributed search ( how to set up your SH) https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Distsearchsystemrequirements

General system requirements : https://docs.splunk.com/Documentation/Splunk/7.2.3/Installation/Systemrequirements

View solution in original post

0 Karma

mayurr98
Super Champion

Hi

You can install splunk the same way you did for indexer and then for configuration of search head refer this doc:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Clusterconfigurationoverview
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Enablethesearchhead

In future you would have to go with splunk indexer cluster and search head cluster.
let me know if this helps!

0 Karma

christianubeda
Path Finder

Oh, thank you!

Just one more question! Hoy about my license? If a install it in my indexer I wuold install it again in the search head??

0 Karma

dkeck
Influencer

HI

To install a SH , you just simply install a regular splunk enterprise instance and then configure distributed search. If its a standalone. If its a clustered environment than you have to adjust this a little bit after intallation.

I would recommend that you review this document :

https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Overviewofconfiguration ( dont forget to adjust this to your splunk version, with the dropdown on the top of the page)

Within this you will also find
System requirements and other deployment considerations for distributed search ( how to set up your SH) https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Distsearchsystemrequirements

General system requirements : https://docs.splunk.com/Documentation/Splunk/7.2.3/Installation/Systemrequirements

0 Karma

christianubeda
Path Finder

Hi!

I have a fast question. The search head have to be in a diferent server from my indexer server? Maybe it's a stupid quiestion but it's my very first time.

My licese is actually in the indexer server. I hace my splunk web there.

0 Karma

dkeck
Influencer

So at the moment you have a standalone splunk instance??, so it will have all the roles, SH, Indexer, License Master.

Best Practises is to have a dedicated server for each role, but this is depending on the size of your environment. So if you want to use this standalone as your Search Head you don´t have to set up distributed search. Just use the Search & Reproting app to search your events.

0 Karma

christianubeda
Path Finder

Yeah that´s it.

Actually I have a stand alone server.

My plan is to distribute it.

I need harware resources for my SH( I think 4 CPU and 8 RAM) will be okey.

0 Karma

dkeck
Influencer

Ok understood.

See https://docs.splunk.com/Documentation/Splunk/7.2.3/Installation/Systemrequirements

for hardware requirements. When you set up your SH, as said, just simply install your splunk enterprise instance and setup distributed search.

Even if its not functioning as an Indexer, you have to have a valid license for your SH. So you have to configure it as a license slave : https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Configurealicenseslave

dkeck
Influencer

If the answer helped please accept it 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...