Getting Data In

Splunk Configuration for Search Head, Indexer and Fowarder

gaurav_maniar
Builder

I have 3 systems, I want one system to work as Forwarder, one as Indexer and one as Search Head.
Setting up forwarder is fine, but to separate indexing and searching.
Means on the indexing system searching should not be available and on search system indexing should not be available.
How can I achieve this type of configuration?

Please let me know if you want more details.

0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview

This configuration is a highly common, typical small Splunk configuration. You:

  1. Disable the web interface on the indexer
  2. Configure the search head to act as a search peer of the indexer
  3. Configure the search head to forward its _internal and other local logs to your indexer

This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).

View solution in original post

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview

This configuration is a highly common, typical small Splunk configuration. You:

  1. Disable the web interface on the indexer
  2. Configure the search head to act as a search peer of the indexer
  3. Configure the search head to forward its _internal and other local logs to your indexer

This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).

0 Karma

Simons20
Loves-to-Learn Lots

Does the search head and indexer must be deployed on different separate servers with different ip adresses? And doest it mean that i have to install splunk on those different servers?

What's the problem with having the indexer and searchhead deployed on 1 server?

 

0 Karma

gaurav_maniar
Builder

hey @dwaddle thanks for the help. Actually I just completed power user certification and about to start with administration. Just one more query, after setting up the environment as you have mentioned if I link more forwarders to indexer I have to not worry about search head ???

0 Karma

dwaddle
SplunkTrust
SplunkTrust

correct. Search heads don't particularly care about how many forwarders are connected to the indexer. But, if you are going to add a bunch of forwarders, then you should be looking at adding a deployment server to your design.

0 Karma

nasimm
New Member

we should install forwarder on search head?

0 Karma

gaurav_maniar
Builder

Thanks Bro 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...