Getting Data In

Search Head > Indexer > Forwarder

abdulhasnath
New Member

Hi, quite new to Splunk. I have had a look at the various documentation and have managed to come this far (see below).

I have installed a Universal Forwarder on two of my machines. This is sending logs to one instance of my Splunk Enterprise (also known as the indexer). Here I can see all my logs and search. Is there anything else I need to do at this point, to configure the indexer?

How do I get this data from the indexer to a search head? And how do I configure this? I have had a look online and I think I need to do something with Distributed Search but cannot seem to get it working. E.g for Search Peers, what goes in Peer URI? Distributed search authentication? I have followed the guide but cant seem to understand what goes in these fields.

How does my indexer server talk to the search head one?

Thanks in advance.
Abdul

0 Karma

siva12
New Member
0 Karma

ppablo
Retired

Hi @abdulhasnath

Did any of the answers below solve your question? If yes, please click "Accept" directly below the answer that worked. If not, please comment with more information for the community to help you troubleshoot.

Thanks!

0 Karma

sudosplunk
Motivator

You can activate distributed search in many ways as discussed here.

From Web Interface:
To configure distributed search, go to settings >> Distributed search >> Search peers >> New Search peer (on top right corner).

Peer URI: https://your_indexer_hostname_or_ipaddress:, example: https://10.10.10.10:8089

Distributed search authentication: ADMIN user and password of splunk on your indexer.
alt text

From CLI:

To add a search peer, run this command from the search head:

splunk add search-server <scheme>://<host>:<port> -auth <user>:<password> -remoteUsername <user> -remotePassword <passremote>

Note the following:

<scheme> is the URI scheme: "http" or "https".
<host> is the host name or IP address of the search peer's host machine.
<port> is the management port of the search peer.
Use the -auth flag to provide credentials for the search head.
Use the -remoteUsername and -remotePassword flags for the credentials for the search peer (indexer). The remote credentials must be for an admin-level user on the search peer.

For example:

splunk add search-server https://10.10.10.10:8089 -auth admin:password -remoteUsername admin -remotePassword passremote

You must run this command for each search peer that you want to add.

inventsekar
SplunkTrust
SplunkTrust

Question - How do I get this data from the indexer to a search head? And how do I configure this?
How does my indexer server talk to the search head one?

Search head and indexer communicate with themselves automatically...
we need not do much on this.. when we do deployment, just we need to inform them which one is search head and which one is indexer.. then they will take care of the remainings..

these links may give you some more info about the search head and indexer...

http://docs.splunk.com/Documentation/Splunk/7.1.2/InheritedDeployment/Deploymenttopology
https://www.edureka.co/blog/splunk-architecture/

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...