Deployment Architecture

Is it possible to create a distributed environment with multiple indexers and pooled search heads in test environment with free splunk installation binary?

Hemnaath
Motivator

Hi All, I am planning to create a Distributed Shared search head pooling setup in our test environment with free splunk installation binary. All the splunk instance will be configured in VM environment and these instance will be used only for testing up gradation of splunk environment.

Kindly let me know whether it can be implemented using Enterprise splunk free installation setup or do we need to buy a splunk license.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

No you have to use your license, also for test environment, connecting your test Indexers to the License Master Server.

You can use free license only to perform some tests but remember the limits of a free license (see https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html).

Or, if you don't have to modify log indexing (props.conf and transforms.conf), but you have only to develop apps (dashboards, alerts and reports), you could use your test search heads for your developments accessing the production Indexers, but with a little attention because you improve the load on the servers.

Bye.
Giuseppe

0 Karma

Hemnaath
Motivator

thanks Cusello, Actually we are planning to upgrade our distributed shared search head pooling from 6.0.3 to 6.2.1 and we do not have any test environment to preform this activity, so our intension is to do this upgrade activity in test before implementing to prod environment. Kindly guide me whether we need to have license to do this. thanks in advance.

0 Karma

gcusello
SplunkTrust
SplunkTrust

To verify the full functionality of your apps you can use a single search head.
Instead to test the upgrade procedure, you could also use Three Virtual machines that use your indexers as search peers, and after plan a migration.
It's just released version 6.5, try it because has new improved functionalities.
Bye.
Giuseppe

0 Karma

Hemnaath
Motivator

thanks Cusello for your quick response on my doubts. As guided we want to install three splunk instance separately in to three VM machine and configure the same apps that are running in the production environment and check their functionalities. But what about the shared search head pooling instance do we need to configure this in VM machine to replicate the prod environment is this is necessary for performing upgrade test. Kindly guide me on this thanks in advance.

Below are the Shared search pooling setup Prod Environment details

we have two search head, Search job scheduler instance, three indexer are communicating with shared search head pooling instance running separate machine.

Note : All the splunk instance are running with 6.2.1 version and only two search head is running in 6.0.3 version, so first we need to make all our instance to run with same version.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...