Deployment Architecture

Discussions

Thread Info

In a mulit-site cluster, does Splunk replicate just the data to the remote and then the remote site indexer indexes the data?

In an multi-site cluster Splunk replicates the data to the remote site, but doe Splunk also replicate the index infor...

by Communicator in

Can same server be SH , indexer and console for splunk enterprise

need to install the splunk enterprise and wanted to make SH and indexer , universal forwarder same system , please a...

by Observer in

Storing Cold Database on NAS

Having trouble finding an answer for this one but is it possible to change just the cold database location to a NAS f...

by New Member in

Migrate from indexer cluster to standalone instance

Hi, I have a legacy Splunk Enterprise cluster that consists of: 1 cluster master3 indexers, forming an indexer ...

by Explorer in

I need to down size the number of indexers to half

Hi Team,I need to decrease the number of indexers used to half, in my current configurations we have site replication...

by Communicator in

Is it possible to have multiple license managers behind a load balancer?

I wasn't sure if having multiple different license managers would cause any violations. Ideally we really do not lik...

by Contributor in

HF High Availability - Container Setup

Hi Team, I want to implement HF as in HA in container setup. can you help here ?

by New Member in

Question about the replication factor in searchhead clustering.

Hello. I am a Splunk newbie. I have a question about the replication factor in searchhead clustering. Looking at ...

by Path Finder in

Universal Forwarder is slow to manage large files

Hello, I use an Universal Forwarder to monitor syslog-ng logs. The logs are splited in 24 logs for one day (so 1 log ...

by Engager in

Can you disable the management port (8089) on clients via the Deployment Server?

We're looking to disable the management port (8089) on current and future clients. Can this be done from a policy or ...

by Path Finder in

RP / SF not OK after decomissionning 1 indexer - Multi site indexer clustering

Hi all, Im under Splunk Version 9.0.2. After decomissionning one indexer in a multi site clustering, I cant retriev...

by Path Finder in

Creating Indexes While Balancing Least Privilege and Search Efficiency for Security Service Providers

Hello, I'm am wondering how other security service providers have handled this issue or what is best practice To ...

by Explorer in

Props and transforms not working deployment server

Hi, UF etc/apps/remo/local placed the inputs,outputs,props and tranforms configuration files and search the da...

by Loves-to-Learn Everything in

Picking which logs to monitor

When monitoring Windows systems which logs do you find to give the best information for finding security events and t...

by Explorer in

How to detect duplicate GUIDs on forwarders?

There are a number of posts on how to fix duplicate GUIDs on FWDs (https://answers.splunk.com/answers/32368/duplicate...

by Contributor in

Splunk Search Head Captain Election

Hello. I have a question about the captain selection process. Let me ask you a question using the example below....

by Path Finder in

splunk offline --enforce-counts looks stuck after 3 days of the decommission on first indexer of a multi site cluster

Hi all, I'm actually have to decomission 6 indexers on a 9/9 multi site cluster of indexers. The command passed...

by Path Finder in

How to configure Splunk opentelemetry collector in kubernetes with an OTLP receiver

Hi, I'm new to Splunk and relatively inexperienced with DevOps topics. I have a Splunk Opentelemetry Collector deploy...

by New Member in

How to make a cluster take over the data of an indexer that just joined the cluster

Hello Everyone There is one index cluster, one search header, one management node, and three peers. The configurati...

by New Member in

Estimated date/release for end of support of Linux kernel 2.6

Hello, I see that Linux kernel 2.6 is deprecated since 1 year (on April 2018, with Splunk 7.1.0). https://docs.spl...

by Explorer in

Configure a dedicated server for all data replication

while configuring RF and SH, can we configure that only one server should be used for saving all copies of data and d...

by Communicator in

Clarification on indexer and search head

I am aware of forwarder -> indexer -> search head. However, when reading about streaming commands, Splunk states "A d...

by Explorer in

REST API for local user not working through SHC load balancer URL

Hi all, I am trying to authenticate a user against REST API but when testing via CURL, it is failing when using LB ...

by Builder in

How to determine the Forwarder that is sending data to a particular Index? Not Indexer!

So I am troubleshooting missing data from hosts, I have the index name that is missing the data, and so I would like ...

by Engager in

Splunk frozen bucket storage - management

Hi, Does anyone out there use any archiving software to monitor, report and manage frozen bucket storage in an on-p...

by Explorer in

Get Updates on the Splunk Community!

Deployment Architecture

Discussions

In a mulit-site cluster, does Splunk replicate just the data to the remote and then the remote site indexer indexes the data?

Can same server be SH , indexer and console for splunk enterprise

Storing Cold Database on NAS

Migrate from indexer cluster to standalone instance

I need to down size the number of indexers to half

Is it possible to have multiple license managers behind a load balancer?

HF High Availability - Container Setup

Question about the replication factor in searchhead clustering.

Universal Forwarder is slow to manage large files

Can you disable the management port (8089) on clients via the Deployment Server?

RP / SF not OK after decomissionning 1 indexer - Multi site indexer clustering

Creating Indexes While Balancing Least Privilege and Search Efficiency for Security Service Providers

Props and transforms not working deployment server

Picking which logs to monitor

How to detect duplicate GUIDs on forwarders?

Splunk Search Head Captain Election

splunk offline --enforce-counts looks stuck after 3 days of the decommission on first indexer of a multi site cluster

How to configure Splunk opentelemetry collector in kubernetes with an OTLP receiver

How to make a cluster take over the data of an indexer that just joined the cluster

Estimated date/release for end of support of Linux kernel 2.6

Configure a dedicated server for all data replication

Clarification on indexer and search head

REST API for local user not working through SHC load balancer URL

How to determine the Forwarder that is sending data to a particular Index? Not Indexer!

Splunk frozen bucket storage - management

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Offline Logging and oberservability - on permises

v0.116.0 upgrade for EKS cluster gives webhook err...

Does a props/transforms.conf Visio stencil exist?

My servers class Agent allways in Pending status

splunk_internal_telemetry:53 - Failed to send tele...

Deployment Architecture

Are you a member of the Splunk Community?

Discussions