Currently, our Splunk dev environment consists of a standalone instance that is both our indexer and search head.
What I am trying to do is set up a new search head that will connect to our production environment indexer, essentially mimicking production in development. I have a brand new instance that I just got set up that will act as a standalone search head.
From here, would I add the indexer as a search peer in a distributed search?
I'm only about a week into learning Splunk, so this stuff definitely confuses me a bit which is why I decided to ask on here.
Please let me know what you guys think is the best solution here.
You have it right. Go to Settings->Distributed search and add the existing indexer as a search peer.
Keep in mind that every search run on the two search heads takes up a CPU on the indexer so be careful not to allow Dev to affect the performance of Prod by running a lot of searches and using up resources on the indexer.
Use the CLI
To add a search peer, run this command from the search head:
splunk add search-server ://: -auth : -remoteUsername -remotePassword
Note the following:
Use the -remoteUsername and -remotePassword flags for the credentials for the search peer. The
remote credentials must be for an admin-level user on the search peer.
splunk add search-server https://192.168.1.1:8089 -auth admin:password -remoteUsername admin -remotePassword passremote
You must run this command for each search peer that you want to add.
You can refer to the above link.
Hope this help, Thanks !