Hi all,
Like the title says, is it possible to run Splunk Light with 2 indexers and a search head? Or is this a Splunk enterprise only configuration?
Many thanks,
Hi,
Looking at the comparison page on Splunk's site (https://www.splunk.com/en_us/products/splunk-light/splunk-light-vs-splunk-enterprise.html)
I'd say no.
What you're describing is called 'Distributed Search' and it doesn't look like this is supported in Splunk Light.
But, depending on your use-case, do you need multiple servers (Indexers & Search Heads)?
Splunk is pretty performant even running as a standalone server. If you haven't already, get one installed with either the Trial or Free license and see how you get on.
Hi,
Looking at the comparison page on Splunk's site (https://www.splunk.com/en_us/products/splunk-light/splunk-light-vs-splunk-enterprise.html)
I'd say no.
What you're describing is called 'Distributed Search' and it doesn't look like this is supported in Splunk Light.
But, depending on your use-case, do you need multiple servers (Indexers & Search Heads)?
Splunk is pretty performant even running as a standalone server. If you haven't already, get one installed with either the Trial or Free license and see how you get on.
Thanks for the confirmations,
We have 2 datacenters, while they won't be indexing a lot of data, we want to avoid unnecessary intersite traffic, which is why we wanted 2 indexers with a searchhead.
Many thanks,
Ah,
I can see where you're coming from.
I think in your position, I'd absolutely start with a single server set-up in one of your datacenters. Run it there as a PoC for a good few weeks with a variety of inputs.
Then you'll be able to see the volumes that you're getting for your different hosts & sources, etc over time. Use the very excellent built-in Monitoring Console to drill down into this info.
This will then give you a really good feel for the volume of data (intersite traffic) which you may get from similar feeds from your second datacenter.
That will then allow you to weight up the value of going with Enterprise (with Distributed Search) or Light. You never know, it may be more cost effective to up the bandwidth between your DCs!
Enjoy.
This is correct, it is not possible. Distributed search is not a function in Splunk Light.