Deployment Architecture

Is it possible to create a distributed environment with multiple indexers and pooled search heads in test environment with free splunk installation binary?

Hemnaath
Motivator

Hi All, I am planning to create a Distributed Shared search head pooling setup in our test environment with free splunk installation binary. All the splunk instance will be configured in VM environment and these instance will be used only for testing up gradation of splunk environment.

Kindly let me know whether it can be implemented using Enterprise splunk free installation setup or do we need to buy a splunk license.

Tags (1)
0 Karma

gcusello
Esteemed Legend

No you have to use your license, also for test environment, connecting your test Indexers to the License Master Server.

You can use free license only to perform some tests but remember the limits of a free license (see https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html).

Or, if you don't have to modify log indexing (props.conf and transforms.conf), but you have only to develop apps (dashboards, alerts and reports), you could use your test search heads for your developments accessing the production Indexers, but with a little attention because you improve the load on the servers.

Bye.
Giuseppe

0 Karma

Hemnaath
Motivator

thanks Cusello, Actually we are planning to upgrade our distributed shared search head pooling from 6.0.3 to 6.2.1 and we do not have any test environment to preform this activity, so our intension is to do this upgrade activity in test before implementing to prod environment. Kindly guide me whether we need to have license to do this. thanks in advance.

0 Karma

gcusello
Esteemed Legend

To verify the full functionality of your apps you can use a single search head.
Instead to test the upgrade procedure, you could also use Three Virtual machines that use your indexers as search peers, and after plan a migration.
It's just released version 6.5, try it because has new improved functionalities.
Bye.
Giuseppe

0 Karma

Hemnaath
Motivator

thanks Cusello for your quick response on my doubts. As guided we want to install three splunk instance separately in to three VM machine and configure the same apps that are running in the production environment and check their functionalities. But what about the shared search head pooling instance do we need to configure this in VM machine to replicate the prod environment is this is necessary for performing upgrade test. Kindly guide me on this thanks in advance.

Below are the Shared search pooling setup Prod Environment details

we have two search head, Search job scheduler instance, three indexer are communicating with shared search head pooling instance running separate machine.

Note : All the splunk instance are running with 6.2.1 version and only two search head is running in 6.0.3 version, so first we need to make all our instance to run with same version.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...