Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Heads and Search Peers configuration

SecurityFeller
Explorer
‎05-15-2024 01:06 PM

Currently working on deploying Splunk on AWS to work in conjunction with our current on-prem solution and I have 2 questions.

Can I configure our AWS Search heads to function as normal Search Heads AND as search peers for our on-prem solution? Or would I need dedicated search peers?

And would I be able to place the Search peers behind a NLB and point the on-prem distconf file to that NLB? Or would I have to hardcode the instances in the distconf file? 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-15-2024 02:01 PM

The AWS search heads can service the on-prem system, not as search peers, but as Federated Search (FS) providers.  FS allows one Splunk environment (on-prem, in this example) to query another (AWS) and include those results as part of a local search.  You can read more about FS at https://docs.splunk.com/Documentation/Splunk/latest/FederatedSearch/fsoptions

Never put a load balancer in a network path that uses the Splunk-to-Splunk protocol.  LBs don't know that protocol and can't be relied on to manage the connections correctly.  Put all of the search peers in the servers= line of distsearch.conf or use Indexer Discovery.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

SecurityFeller
Explorer
‎05-17-2024 08:16 AM

Thank you! 

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-15-2024 02:01 PM

The AWS search heads can service the on-prem system, not as search peers, but as Federated Search (FS) providers.  FS allows one Splunk environment (on-prem, in this example) to query another (AWS) and include those results as part of a local search.  You can read more about FS at https://docs.splunk.com/Documentation/Splunk/latest/FederatedSearch/fsoptions

Never put a load balancer in a network path that uses the Splunk-to-Splunk protocol.  LBs don't know that protocol and can't be relied on to manage the connections correctly.  Put all of the search peers in the servers= line of distsearch.conf or use Indexer Discovery.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top