Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Heads and Search Peers configuration

SecurityFeller
Explorer
‎05-15-2024 01:06 PM

Currently working on deploying Splunk on AWS to work in conjunction with our current on-prem solution and I have 2 questions.

Can I configure our AWS Search heads to function as normal Search Heads AND as search peers for our on-prem solution? Or would I need dedicated search peers?

And would I be able to place the Search peers behind a NLB and point the on-prem distconf file to that NLB? Or would I have to hardcode the instances in the distconf file? 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-15-2024 02:01 PM

The AWS search heads can service the on-prem system, not as search peers, but as Federated Search (FS) providers.  FS allows one Splunk environment (on-prem, in this example) to query another (AWS) and include those results as part of a local search.  You can read more about FS at https://docs.splunk.com/Documentation/Splunk/latest/FederatedSearch/fsoptions

Never put a load balancer in a network path that uses the Splunk-to-Spunk protocol.  LBs don't know that protocol and can't be relied on to manage the connections correctly.  Put all of the search peers in the servers= line of distsearch.conf or use Indexer Discovery.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

SecurityFeller
Explorer
a month ago

Thank you! 

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-15-2024 02:01 PM

The AWS search heads can service the on-prem system, not as search peers, but as Federated Search (FS) providers.  FS allows one Splunk environment (on-prem, in this example) to query another (AWS) and include those results as part of a local search.  You can read more about FS at https://docs.splunk.com/Documentation/Splunk/latest/FederatedSearch/fsoptions

Never put a load balancer in a network path that uses the Splunk-to-Spunk protocol.  LBs don't know that protocol and can't be relied on to manage the connections correctly.  Put all of the search peers in the servers= line of distsearch.conf or use Indexer Discovery.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...