Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to connect search head to new indexer in a distributed environment (beginner here)

maxguttsait
New Member
‎10-15-2019 08:46 AM

Hi all,

Currently, our Splunk dev environment consists of a standalone instance that is both our indexer and search head.
What I am trying to do is set up a new search head that will connect to our production environment indexer, essentially mimicking production in development. I have a brand new instance that I just got set up that will act as a standalone search head.
From here, would I add the indexer as a search peer in a distributed search?
I'm only about a week into learning Splunk, so this stuff definitely confuses me a bit which is why I decided to ask on here.

Please let me know what you guys think is the best solution here.

0 Karma
Reply

sandeepmakkena
Contributor
‎10-15-2019 01:11 PM

Use the CLI
To add a search peer, run this command from the search head:

splunk add search-server ://: -auth : -remoteUsername -remotePassword

Note the following:

  1. is the URI scheme: "http" or "https".
  2. is the host name or IP address of the search peer's host machine.
  3. is the management port of the search peer.
  4. Use the -auth flag to provide credentials for the search head.

  5. Use the -remoteUsername and -remotePassword flags for the credentials for the search peer. The
    remote credentials must be for an admin-level user on the search peer.

    For example:

    splunk add search-server https://192.168.1.1:8089 -auth admin:password -remoteUsername admin -remotePassword passremote
    You must run this command for each search peer that you want to add.

https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/Configuredistributedsearch

You can refer to the above link.

Hope this help, Thanks !

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2019 11:35 AM

You have it right. Go to Settings->Distributed search and add the existing indexer as a search peer.
Keep in mind that every search run on the two search heads takes up a CPU on the indexer so be careful not to allow Dev to affect the performance of Prod by running a lot of searches and using up resources on the indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...