- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 3 systems, I want one system to work as Forwarder, one as Indexer and one as Search Head.
Setting up forwarder is fine, but to separate indexing and searching.
Means on the indexing system searching should not be available and on search system indexing should not be available.
How can I achieve this type of configuration?
Please let me know if you want more details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview
This configuration is a highly common, typical small Splunk configuration. You:
- Disable the web interface on the indexer
- Configure the search head to act as a search peer of the indexer
- Configure the search head to forward its _internal and other local logs to your indexer
This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview
This configuration is a highly common, typical small Splunk configuration. You:
- Disable the web interface on the indexer
- Configure the search head to act as a search peer of the indexer
- Configure the search head to forward its _internal and other local logs to your indexer
This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the search head and indexer must be deployed on different separate servers with different ip adresses? And doest it mean that i have to install splunk on those different servers?
What's the problem with having the indexer and searchhead deployed on 1 server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @dwaddle thanks for the help. Actually I just completed power user certification and about to start with administration. Just one more query, after setting up the environment as you have mentioned if I link more forwarders to indexer I have to not worry about search head ???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correct. Search heads don't particularly care about how many forwarders are connected to the indexer. But, if you are going to add a bunch of forwarders, then you should be looking at adding a deployment server to your design.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we should install forwarder on search head?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Bro 🙂
