Getting Data In
Highlighted

Search Head > Indexer > Forwarder

New Member

Hi, quite new to Splunk. I have had a look at the various documentation and have managed to come this far (see below).

I have installed a Universal Forwarder on two of my machines. This is sending logs to one instance of my Splunk Enterprise (also known as the indexer). Here I can see all my logs and search. Is there anything else I need to do at this point, to configure the indexer?

How do I get this data from the indexer to a search head? And how do I configure this? I have had a look online and I think I need to do something with Distributed Search but cannot seem to get it working. E.g for Search Peers, what goes in Peer URI? Distributed search authentication? I have followed the guide but cant seem to understand what goes in these fields.

How does my indexer server talk to the search head one?

Thanks in advance.
Abdul

0 Karma
Highlighted

Re: Search Head > Indexer > Forwarder

Champion

Question - How do I get this data from the indexer to a search head? And how do I configure this?
How does my indexer server talk to the search head one?

Search head and indexer communicate with themselves automatically...
we need not do much on this.. when we do deployment, just we need to inform them which one is search head and which one is indexer.. then they will take care of the remainings..

these links may give you some more info about the search head and indexer...

http://docs.splunk.com/Documentation/Splunk/7.1.2/InheritedDeployment/Deploymenttopology
https://www.edureka.co/blog/splunk-architecture/

Highlighted

Re: Search Head > Indexer > Forwarder

Motivator

You can activate distributed search in many ways as discussed here.

From Web Interface:
To configure distributed search, go to settings >> Distributed search >> Search peers >> New Search peer (on top right corner).

Peer URI: https://your_indexer_hostname_or_ipaddress:, example: https://10.10.10.10:8089

Distributed search authentication: ADMIN user and password of splunk on your indexer.
alt text

From CLI:

To add a search peer, run this command from the search head:

splunk add search-server <scheme>://<host>:<port> -auth <user>:<password> -remoteUsername <user> -remotePassword <passremote>

Note the following:

<scheme> is the URI scheme: "http" or "https".
<host> is the host name or IP address of the search peer's host machine.
<port> is the management port of the search peer.
Use the -auth flag to provide credentials for the search head.
Use the -remoteUsername and -remotePassword flags for the credentials for the search peer (indexer). The remote credentials must be for an admin-level user on the search peer.

For example:

splunk add search-server https://10.10.10.10:8089 -auth admin:password -remoteUsername admin -remotePassword passremote

You must run this command for each search peer that you want to add.

Highlighted

Re: Search Head > Indexer > Forwarder

Community Manager
Community Manager

Hi @abdulhasnath

Did any of the answers below solve your question? If yes, please click "Accept" directly below the answer that worked. If not, please comment with more information for the community to help you troubleshoot.

Thanks!

0 Karma
Highlighted

Re: Search Head > Indexer > Forwarder

New Member
0 Karma