Turn off indexing on the search head

christianubeda · ‎01-22-2019

Hi team!

I have a question.

Actually I have a standalone server.

My plan is to have 2 servers: an indexer and a search head.

What do I have to do?

Please help. this is my very first time.

Thank you a lot.

nasimm · ‎04-24-2020

can you help me?
please help me ,
forwarder should be install in search head or search index(peer) or both of them?
please help me ,
i dont have enough time.,please help me ,
i dont have enough time for deploying ,
can you help me?
my problem is forwarder , universal forwarder should be just in search head install or in search index(peer)?

richgalloway · ‎04-24-2020

Take a deep breath. Please post a new question describing your problem. Forwarders are not installed on either search heads or indexers, but we'll address that with your question.

---
If this reply helps you, Karma would be appreciated.

nasimm · ‎04-27-2020

hi ,
please give me your advises about this link , it is ok for universal forwarder and search indexer deploying?after theses i should just deploy search head?
in this link , forwarder installed on search indexer , but you say no , universal forwarder should be install in your host(in my case , i have 3 nodes in vmware and my system(windows)), then in my case , i shoud install and deploy universal forwarder in windows?or in my search indexers?(2 of 3 nodes , one of them be search head).if yes , in each one of search indexers i should install forwarder?with 9997 port?is not create conflict?
this link is :
https://www.youtube.com/watch?v=ST3UOM4TS60

please help me , i am busy with deploy splunk distributed a weak , please help me.
i dont have enough time , my time of dissertation will be finished next a few days .
please help me ,
thanks.

sensitive-thug · ‎04-27-2020

Hi @nasimm,

Please post a brand new question to get help with the issue, rather than posting a comment on a previous question.

To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thanks!

sloshburch · ‎01-24-2019

I would actually suggest focusing on what the official documentation has to offer. That way if you open a support case for help, you are in line with what is supported.

Two sets of documentation that will be of use to you: Distributed Deployment Manual and Distributed Search. The second link even has a page that walks you through exactly what you're working on.

kmorris_splunk · ‎01-23-2019

Here are some notes I had which will summarize the steps. Even though you will have just one indexer, this will be the same process.

Install Indexers
Change default password on each Indexer (required for Search Head to connect)
Install Search Head
Install Licenses on Search Head (License Master)
Configure each Indexer as a License Slave
- Settings > Licensing
- Click Change to slave
- Click Designate a different Splunk instance as the master license server radio button
- Specify the IP/Hostname and Splunk management port (8089 by default)
- Save
Establish connections from Search Head to all Search Peers. This is the key step.
- Distributed search > Search peers > Add New
- Specify the search peer, along with any authentication settings
- Save

Install Universal Forwarders and configure to send to all Search Peers

Example Universal Forwarder outputs.conf
[tcpout]
defaultGroup = my_search_peers

        [tcpout:my_search_peers]
        server=10.10.10.1:9997,10.10.10.2:9997                                                
        autoLB = true

Forward internal SH data to the indexer tier.
- Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.
- Set SH up to Forward to all Search Peers.
- Example outputs.conf
- Turn off indexing on the search head
  
  [indexAndForward]
  index = false
  
  [tcpout]
  defaultGroup = my_search_peers
  forwardedindex.filter.disable = true
  indexAndForward = false
  
  [tcpout:my_search_peers]
  server=10.10.10.1:9997,10.10.10.2:9997
- ```
      autoLB = true
```

Configuration via files:

Change password from changeme to something else on the indexers:

./splunk edit user admin -password foo -role admin-auth admin:changeme

Configure indexers as license slaves: https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/LicenserCLIcommands
./splunk edit licenser-localslave -master_uri 'https://master:8089'

Add search peer to Search Head:
splunk add search-server https://192.168.1.1:8089 -auth admin:password -remoteUsername admin -remotePassword passremote

nasimm · ‎04-28-2020

so universal forwarder will be install in indexers?

nasimm · ‎04-28-2020

also you said in last part that forwarder not need to install on search head , but in your commands you turn off this form search peer(indexer) . it confused me.
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997

* autoLB = true

christianubeda · ‎01-23-2019

I actually installed my 10Gb licese in the indexer...

What can I do now?

kmorris_splunk · ‎01-23-2019

Just a note, be sure to replace any placeholder IP addresses in these notes with the appropriate IPs in your environment.

Could you give me step-by-step instructions on how to have an indexer and a search head?

Turn off indexing on the search head

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services