Hello,
I have one Splunk instance (Windows) and I would like to add a Linux search head for the indexer. Could I do this? Will this cause problems?
Thanks
You can mix-and match HW and OS anywhere and it should work fine. The only exception is that if you use a Windows Deployment Server for Linux Forwarders, you are likely to have problems with permissions.
There is one other notable exception: If you are using indexer clustering, all indexers must be at the same OS flavor and version AND Splunk needs to be at the exact same version on all peer nodes as well.
So you can't have five Windows boxes and two Linux servers be part of a cluster. But no sane person would consider doing that anyway....
I would generally try to stick with a homogeneous search, indexing & management environment as much as possible (preferably Linux) for all kinds of reasons.
No, i have one indexer (windows) and i would add a linux search head, is this possible ?
Yes, it is possible.
No, i have a windows indexer which contains also the deployment server and i would like to add a linux search head for the entreprise security app
Isn't the Windows Deployment Server for Linux Forwarders even worse? That's what we had in my last place and it was breaking the permission model every single time a deployment was made, so we ended up scripting a fix for it.
I thought this wasn't the case on a Linux Deployment Server for Windows Forwarders?
What is the alternative then? Have two deployment servers one for Windows and one for Linux?
Thanks,
Javier
You are correct, I said it backwards. I went back and fixed my answer.
This is fully supported. Refer to the documentation on configuring distributed search in order for your SH to use the indexer.
thank you for your answer, i did not found the information in splunk docs.