Deployment Architecture

Search Heads and Search Peers configuration

SecurityFeller
Explorer

Currently working on deploying Splunk on AWS to work in conjunction with our current on-prem solution and I have 2 questions.

Can I configure our AWS Search heads to function as normal Search Heads AND as search peers for our on-prem solution? Or would I need dedicated search peers?

And would I be able to place the Search peers behind a NLB and point the on-prem distconf file to that NLB? Or would I have to hardcode the instances in the distconf file? 

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The AWS search heads can service the on-prem system, not as search peers, but as Federated Search (FS) providers.  FS allows one Splunk environment (on-prem, in this example) to query another (AWS) and include those results as part of a local search.  You can read more about FS at https://docs.splunk.com/Documentation/Splunk/latest/FederatedSearch/fsoptions

Never put a load balancer in a network path that uses the Splunk-to-Splunk protocol.  LBs don't know that protocol and can't be relied on to manage the connections correctly.  Put all of the search peers in the servers= line of distsearch.conf or use Indexer Discovery.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

SecurityFeller
Explorer

Thank you! 

richgalloway
SplunkTrust
SplunkTrust

The AWS search heads can service the on-prem system, not as search peers, but as Federated Search (FS) providers.  FS allows one Splunk environment (on-prem, in this example) to query another (AWS) and include those results as part of a local search.  You can read more about FS at https://docs.splunk.com/Documentation/Splunk/latest/FederatedSearch/fsoptions

Never put a load balancer in a network path that uses the Splunk-to-Splunk protocol.  LBs don't know that protocol and can't be relied on to manage the connections correctly.  Put all of the search peers in the servers= line of distsearch.conf or use Indexer Discovery.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...