Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to integrate a multisite indexer cluster with remote standalone Splunk installations?

gfreitas
Builder
‎02-17-2016 03:49 AM

Dear Splunkers,

We have a multisite Indexer Cluster in our datacenter and some remote locations with local standalone Splunk installations. Now we want to connect our search heads of the datacenters to those remote Splunk installations. It's important for us to use Splunk Search Group of search peers because we just want to search those remote Splunk installations when needed to save bandwidth. I saw on distsearch documentation that we cannot use cluster and search group functions at the same time. Does anyone know how can I integrate those two Splunk installations?

Thanks!

0 Karma
Reply

renjith_nair
Legend
‎02-17-2016 04:01 AM

You can search across both clustered and non-clustered search peers

  1. Configure an indexer cluster search head in the standard fashion
  2. Use Splunk Web or the CLI to add one or more non-clustered search peers

Details are here : http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Configureclusteredandnonclusteredsearch

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

gfreitas
Builder
‎02-17-2016 11:47 AM

Hi renjith.nair,

Thanks for your answer but this don't let me use the search group: http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/Distributedsearchgroups. I need to create a search group because I don't want to search those standalone splunk by default just when I explicitly want.

thanks!

0 Karma
Reply

renjith_nair
Legend
‎02-18-2016 12:21 AM

We do have mixed configuration but never tried search group.
One possibility is that to set up a small standalone instance on your main site(dummy) and add it also as distsearch. Then create two groups with main and remote in each group and make main as default=true.

Other possibility is to add the search head as peer inside the configuration . It's not tested and not sure if it works as we expected

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...