Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an alternative to Splunk Free for a distributed search POC?

deepak02
Path Finder
‎02-02-2017 08:12 AM

Hi,

I am trying a POC on my personal PC where

  • Forwarder is on one machine (Linux)
  • Indexer + Search Head on another machine (Mac OS)

I am using Splunk Enterprise downloaded for free.

ISSUE: I am able to see the data on the indexer, but the Search Head is not connecting to the indexer. (Error: REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured).

QUESTION:
I read that Splunk Free does not provide Distributed Search. Is that the reason why my Search Head to Indexer connection is not working?

Which Splunk product (free or very cheap) should I use to implement the above architecture (three tier on two machines) ?

Thanks,
Deepak

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-02-2017 09:14 AM

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 12:32 PM

If you run search head and indexer on the same machine, there is no need for distributed search. The indexer IS the search head. Distributed search comes into play when you have 2+ indexers.
What are the success criteria for your PoC? Do you need to prove that distributed search works for your PoC to be successful?

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-02-2017 09:14 AM

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...