Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Use standalone Splunk as a search peer

thulasikrishnan
Path Finder
‎07-29-2019 08:57 AM

Hi
I am doing a short term gig building dashboards in Splunk and I have a production standalone Splunk Enterprise single instance deployment which I don't have admin access to. But I do have admin access to the Dev instance. Dev instance however has no data in it. My gut tells me I can make the production instance a search peer to my Dev box and start using production data to build dashboards in Dev. But I see this in Splunk documentation Important: A search head should not perform a dual function as a search peer. The only exception to this rule is for the distributed management console, which functions as a "search head of search heads." I could not find anymore details whether this is a technical infeasibility or a performance best practice.

Has anybody tried this before?

0 Karma
Reply

thulasikrishnan
Path Finder
‎07-30-2019 11:00 AM

Just a thought I had. If I get the relevant buckets with suitable time periods copied over from Dev to Prod, I should be able to achieve my goal. It is a standalone Splunk instance so I don't think the instance GUID is part of. I know the sysadmin is going to give me the looks. I also know this is not exactly the answer to my question. But just presenting it as a solve to achieve the end goal.

0 Karma
Reply

brschaefer_splu
Splunk Employee
Splunk Employee
‎07-29-2019 01:12 PM

When in an environment where I need to do "dev on a budget" I've configured a dev search head to peer the prod indexers. This has some limitations, but is generally a pretty reliable way to build and test apps as you get a full dataset to utilize and you get to ensure that your new saved searches don't over-schedule a block of time.

0 Karma
Reply

thulasikrishnan
Path Finder
‎07-29-2019 01:34 PM

I am a bit skeptical after reading the Splunk docs as the Production set up that I am dealing with is a standalone single instance deployment and not an indexer only instance. I don't know if making it a search peer to my Dev instance will impact its active prod SH duties.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2019 10:15 AM

Can you export data from production and import it into Dev?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

thulasikrishnan
Path Finder
‎07-29-2019 10:28 AM

To comprehensively cover all use cases, I need at least 8 days worth of data. But the Dev is pooling license with prod. So I can't import that much logs into Dev without license violations.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...