We are planning to expand existing Splunk setup.
Present : We have one Splunk indexer (172.16.XX.XX) , we are forwarding data to that indexer and accessing Splunk UI for that server.
Planning : one new indexer in new server (172.16.XX.XX) and one search head in new server (172.16.XX.XX).
Final setup : Two indexers and one search head.
Below are some queries,
• Here, What do we need to install one new indexer and search head ?
• How we can forward data to the new indexer and to the old indexer from all the forwarders ? How we can access Splunk UI for new search head. Any ports or any routes we need to open on new servers ?
• Here, we will forward data to the both new and old indexers , we can access splunk UI for new search head. How we can see the indexing data in Splunk UI ?
Please find below answers.
autoLB, data will be distributed among both the indexers and in future if any one indexer will go down then you will lose half of the data so you need to consider this as risk. To avoid this situaltion it will be good to setup Indexer Cluster.
httpso you can access splunk search head UI with URL
http://<search head FQDN/IP>:8000
To conclude above steps in splunk way, you can read this documentation
I hope this helps.
It will be good to accept my answer so that this question will be closed and other people will able to refer this answer in future.
Now we have Indexer and search head on same server. We need to disable search head on old server and make it new server as a search head for both the indexer. How we can do this ?
If you want to use new search head with fresh installation and do not want to migrate any reports/alerts , dashboards, field extractions etc. from old search head then you just need to follow last points which I have given in my answer To search data from both indexers on search head , you need to configure search peers (Indexers) in search head. Very good documentation here
If you want to migrate knowledge objects (reports/alerts , dashboards, field extractions etc.) from old search head to new search head then follow last points in my answers and additionally you need to copy
$SPLUNK_HOME/etc/apps/<App name>/local/ and
$SPLUNK_HOME/etc/users/<Username>/<App name>/local/ directory from old search head to new search head
$SPLUNK_HOME/etc/apps/<App name>/metadata/local.meta and
$SPLUNK_HOME/etc/users/<Username>/<App name>/metadata/local.meta directory from old search head to new search head.
At last restart splunk on new search head.
I hope this helps.
I think this is for to make a new server as a search head. How we can disable search head from the existing setup (stand-alone)
There are no such setting to disable search head on Indexers, however you can remove customised role mapping from authentications.conf and custom roles from authorize.conf.
Also you need to remove knowledge objects (reports/alerts , dashboards, field extractions etc.) which were created by users from that indexer so that it will not run those knowledge objects.
Hi @harsmarvania57 - i accepted your answer that is helpful to me. Thank you.
For more clarity few more doubts, Please suggest.
We want to forward data to the two indexers from all the forwarders. Can you please suggest one good way to configure ? (autoLB or any node configuration)
We have license for existing setup. How we can share with new indexer ?
autoLB is good method to distribute data among Indexers but only drawback in your environment is when one indexer will go down you will lose half of the data.
Another method is to clone data to both the indexers but it will use double license & storage so I'll not prefer that method and stick with autoLB and consider risk as you will lose data when any indexer will be down.
Regarding license to share with another indexer, can you please let us know on which server license is currently installed ?