Hello All,
I have two high-performance servers for Splunk in different segments.
The first server will receive data and send to second one (indexer).
Additional restrictions:
But I don't want to dedicate the first server only as a forwarder.
Question:
Is it possible to use the first server also to optimize search performance?
I suppose that I can use the first server as an indexer, the second one as a forwarder and a search head. But if we have only one indexer, will we get a performance improvement from the dedicated search head?
Best regards, Artem.
Yes you can (and IMHO should) make it an Indexer, too, which should double your search performance.
Yes you can (and IMHO should) make it an Indexer, too, which should double your search performance.
Sorry I didn't write in the first post:
A volume to store the indexed data can be connected only to one server - indexer in the first post. So the indexer can be only one.
Best regards, Artem.
You can make the Forwarder your Search Head so that you are not logging into the Indexer directly to run Searches. This will help some to speed things. Because your Forwarder is handling so small a data stream such that it can be handled by a single Indexers, I am sure it can also handle the load of being a Search Head.
Thanks, you support my suppose. Also I found an indirect confirmation in the documentation. Splunk recommends use one search head for one indexer if we have from 2 till 250 GB daily indexing volume with up to 16 users.
I also suppose I can forward the users on search head and on indexer directly to use indexer for perform search requests too.
Unfortunately in the documentation I can't find how to use dedicated search head without an indexer cluster. Need I make cluster with one indexer?
And how to distribute an user settings (if I can use indexer to perform search requests) - mount the Knowledge bundle (../splunk/etc) from one server to another?
Best regards, Artem.
I found document on connect a search head with a search pear (indexer) without an indexer cluster:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/Configuredistributedsearch
So now actual only last questions:
Could I use the indexer to perform search requests too?
And how to distribute an user settings (if I can use indexer to perform search requests) - mount the Knowledge bundle (../splunk/etc) from one server to another?
Best regards, Artem.
Yes, by default, your Indexer should should have a web interface on port 8000 (or is it 8080?) and if you browse it on that port, it will let you log in and run searches on it. This should not require any configuration. I would advise against doing so, though.
Best regards, Artem.
First of all, 1 Search Head (your Forwarder) will probably be just fine forever so you don't need more than 1 (no benefit). You only have 1 indexer so it going to handle all of the base parts of every search so don't add even more burden to it.
Best regards, Artem.