Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to connect search head to new indexer in a distributed environment (beginner here)

maxguttsait
New Member
‎10-15-2019 08:46 AM

Hi all,

Currently, our Splunk dev environment consists of a standalone instance that is both our indexer and search head.
What I am trying to do is set up a new search head that will connect to our production environment indexer, essentially mimicking production in development. I have a brand new instance that I just got set up that will act as a standalone search head.
From here, would I add the indexer as a search peer in a distributed search?
I'm only about a week into learning Splunk, so this stuff definitely confuses me a bit which is why I decided to ask on here.

Please let me know what you guys think is the best solution here.

0 Karma
Reply

sandeepmakkena
Contributor
‎10-15-2019 01:11 PM

Use the CLI
To add a search peer, run this command from the search head:

splunk add search-server ://: -auth : -remoteUsername -remotePassword

Note the following:

  1. is the URI scheme: "http" or "https".
  2. is the host name or IP address of the search peer's host machine.
  3. is the management port of the search peer.
  4. Use the -auth flag to provide credentials for the search head.

  5. Use the -remoteUsername and -remotePassword flags for the credentials for the search peer. The
    remote credentials must be for an admin-level user on the search peer.

    For example:

    splunk add search-server https://192.168.1.1:8089 -auth admin:password -remoteUsername admin -remotePassword passremote
    You must run this command for each search peer that you want to add.

https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/Configuredistributedsearch

You can refer to the above link.

Hope this help, Thanks !

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2019 11:35 AM

You have it right. Go to Settings->Distributed search and add the existing indexer as a search peer.
Keep in mind that every search run on the two search heads takes up a CPU on the indexer so be careful not to allow Dev to affect the performance of Prod by running a lot of searches and using up resources on the indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...