Getting Data In

Is there an alternative to Splunk Free for a distributed search POC?

Path Finder

Hi,

I am trying a POC on my personal PC where

  • Forwarder is on one machine (Linux)
  • Indexer + Search Head on another machine (Mac OS)

I am using Splunk Enterprise downloaded for free.

ISSUE: I am able to see the data on the indexer, but the Search Head is not connecting to the indexer. (Error: REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured).

QUESTION:
I read that Splunk Free does not provide Distributed Search. Is that the reason why my Search Head to Indexer connection is not working?

Which Splunk product (free or very cheap) should I use to implement the above architecture (three tier on two machines) ?

Thanks,
Deepak

0 Karma
1 Solution

Legend

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

If you run search head and indexer on the same machine, there is no need for distributed search. The indexer IS the search head. Distributed search comes into play when you have 2+ indexers.
What are the success criteria for your PoC? Do you need to prove that distributed search works for your PoC to be successful?

0 Karma

Legend

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

View solution in original post

0 Karma