Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise POC - Architecture: Is it possible to install a forwarder, indexer, and search head on one Linux box?

deepak02
Path Finder
‎01-27-2017 02:46 PM

Hi,

I am well trained in Splunk Dashboarding. I would like to try out a POC of the Splunk Enterprise with the below features (strictly).

  1. The architecture consists of 1 forwarder, 1 indexer and 1 search head all running on Linux boxes, The log file is very small with <100 KB of data.
  2. I want all of the installation/configuration to be done using .conf files.

I have the following questions,
Q1: Can I install the forwarder, indexer and search head together on one Linux box? I am not worried about the performance, I just want to see the data indexed and displayed properly.

Q2: I only have a Windows PC. Can I install Splunk Enterprise on VMWare (which mimics a Unix box) or can I install it on a free online Linux box? - Please provide suggestions

Q3: Is there a Unix way to test that the forwarder is indeed forwarding data to the indexer? (I do not want to check it in Splunk Web)

Thanks,
Deepak

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎01-27-2017 05:11 PM

Q1 - the Splunk Enterprise software package consists of the indexer, the search head, the deployment server, the license master and more. The Universal Forwarder software package consists of the Universal Forwarder and the deployment client. So, you really need to install only these two packages.

Q2 - you can install the Splunk Enterprise on VMWare. That's what we do.

Q3 - this can help - I can't find my data!

Please let us know how it goes...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎01-27-2017 05:11 PM

Q1 - the Splunk Enterprise software package consists of the indexer, the search head, the deployment server, the license master and more. The Universal Forwarder software package consists of the Universal Forwarder and the deployment client. So, you really need to install only these two packages.

Q2 - you can install the Splunk Enterprise on VMWare. That's what we do.

Q3 - this can help - I can't find my data!

Please let us know how it goes...

0 Karma
Reply
Solved! Jump to solution

deepak02
Path Finder
‎02-02-2017 07:40 AM

It worked yay!!!!!

I was able to see data from forwarder on the indexer, but am getting an error on the search head-indexer connection.

When search head tries to connect to the indexer, the error is:

Error [00000080] Failed 12 out of 11 times.REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured. Check var/log/splunk/splunkd.log on the peer.

Thanks for all your advice so far. Will you be able to help me on this too please...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...