Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two servers in distributed environment?

wojtek_swiatek
Path Finder
‎07-15-2014 06:29 AM

I have a legacy smallserver.example.com which works as a standalone splunk> server, indexer and search head. It has two indexes index1 and index2.

I also have now a brand new bigserver.example.com which I would like to somehow-move splunk so that:

  • bigserver starts to index data in index1
  • searches would reach out to smallserver and bigserver to gather all data from both index1

The rationale for the changes are that smallserver is a historical mess, with plenty of indexes I am not interested in anymore, except for index1. bigserver would take over the indexing and searches (but would still need data from index1 on smallserver).

I would instruct the data sources to point to bigserver. For some time the interesting data (on index1) will therefore reside on both servers.

My questions:

  • is it enough to deploy splunk on bigserver and somehow connect both (I was looking for the "somehow" in the docs about distributed search but they cover way more complicated cases than mine)
  • how can I reach to index1 on smallserver while on bigserver? I looked at how to configure search peers but again it seems overkill for my case.

Thank you!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-15-2014 06:47 AM

To let bigserver search smallserver you indeed set up smallserver as a distributed search peer in bigserver. It's not as complicated as it sounds - just go to Settings -> Distributed Search -> Add new Search Peer on bigserver. Enter smallserver:8089 as URL and authenticate as a smallserver admin to link them up - that auth is only used once.

Do you have any custom sourcetypes, field extractions, lookups, etc. on smallserver that you need on bigserver?
The most critical bits are index-time configurations such as timestamping, event breaking, etc. - if you don't have those on bigserver when it starts indexing data for index1 then you may be in trouble.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-15-2014 06:47 AM

To let bigserver search smallserver you indeed set up smallserver as a distributed search peer in bigserver. It's not as complicated as it sounds - just go to Settings -> Distributed Search -> Add new Search Peer on bigserver. Enter smallserver:8089 as URL and authenticate as a smallserver admin to link them up - that auth is only used once.

Do you have any custom sourcetypes, field extractions, lookups, etc. on smallserver that you need on bigserver?
The most critical bits are index-time configurations such as timestamping, event breaking, etc. - if you don't have those on bigserver when it starts indexing data for index1 then you may be in trouble.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-15-2014 08:22 AM

index1 existing on both servers isn't going to cause a clash, but rather both instances of index1 to look like one large index when viewed from bigserver. That's intentional, it's how Splunk lets larger customers churn through terabytes of new data per day.

The info you see on bigserver includes search peers. When you search for data you can take a look at the splunk_server field present in every event that tells you which splunk server that event was retrieved from.

0 Karma
Reply
Solved! Jump to solution

wojtek_swiatek
Path Finder
‎07-15-2014 08:07 AM

Interestingly when I look at the main page on bigserver I see
Events Indexed: 34,301,598
Earliest Event: 5 years ago
I hope this is just a view on smallserverand not that the data were actually indexed by bigserver

0 Karma
Reply
Solved! Jump to solution

wojtek_swiatek
Path Finder
‎07-15-2014 08:02 AM

Thank you for your reply. I added the new search peer, can do a search on index=index1 and I will check whether the index1 on bigserver does not clash with the existing one on smallserver(hopefully not). I have plenty of customizations on smallserver but I will port the required subset on bigserver before sending live data to it.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...