Getting Data In
Highlighted

Splunk Configuration for Search Head, Indexer and Fowarder

I have 3 systems, I want one system to work as Forwarder, one as Indexer and one as Search Head.
Setting up forwarder is fine, but to separate indexing and searching.
Means on the indexing system searching should not be available and on search system indexing should not be available.
How can I achieve this type of configuration?

Please let me know if you want more details.

0 Karma
Highlighted

Re: Splunk Configuration for Search Head, Indexer and Fowarder

SplunkTrust
SplunkTrust

I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview

This configuration is a highly common, typical small Splunk configuration. You:

  1. Disable the web interface on the indexer
  2. Configure the search head to act as a search peer of the indexer
  3. Configure the search head to forward its _internal and other local logs to your indexer

This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).

View solution in original post

0 Karma
Highlighted

Re: Splunk Configuration for Search Head, Indexer and Fowarder

hey @dwaddle thanks for the help. Actually I just completed power user certification and about to start with administration. Just one more query, after setting up the environment as you have mentioned if I link more forwarders to indexer I have to not worry about search head ???

0 Karma
Highlighted

Re: Splunk Configuration for Search Head, Indexer and Fowarder

SplunkTrust
SplunkTrust

correct. Search heads don't particularly care about how many forwarders are connected to the indexer. But, if you are going to add a bunch of forwarders, then you should be looking at adding a deployment server to your design.

0 Karma
Highlighted

Re: Splunk Configuration for Search Head, Indexer and Fowarder

Thanks Bro 🙂

0 Karma
Highlighted

Re: Splunk Configuration for Search Head, Indexer and Fowarder

New Member

we should install forwarder on search head?

0 Karma