Deployment Architecture

How to integrate a multisite indexer cluster with remote standalone Splunk installations?

Builder

Dear Splunkers,

We have a multisite Indexer Cluster in our datacenter and some remote locations with local standalone Splunk installations. Now we want to connect our search heads of the datacenters to those remote Splunk installations. It's important for us to use Splunk Search Group of search peers because we just want to search those remote Splunk installations when needed to save bandwidth. I saw on distsearch documentation that we cannot use cluster and search group functions at the same time. Does anyone know how can I integrate those two Splunk installations?

Thanks!

0 Karma

SplunkTrust
SplunkTrust

You can search across both clustered and non-clustered search peers

  1. Configure an indexer cluster search head in the standard fashion
  2. Use Splunk Web or the CLI to add one or more non-clustered search peers

Details are here : http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Configureclusteredandnonclusteredsearch

0 Karma

Builder

Hi renjith.nair,

Thanks for your answer but this don't let me use the search group: http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/Distributedsearchgroups. I need to create a search group because I don't want to search those standalone splunk by default just when I explicitly want.

thanks!

0 Karma

SplunkTrust
SplunkTrust

We do have mixed configuration but never tried search group.
One possibility is that to set up a small standalone instance on your main site(dummy) and add it also as distsearch. Then create two groups with main and remote in each group and make main as default=true.

Other possibility is to add the search head as peer inside the configuration . It's not tested and not sure if it works as we expected

0 Karma