Getting Data In
Highlighted

Splunk architecture feedback

New Member

Hello every body ,

I have to deploy 3 virtual machines to set up an architecture containing a forwarder, indexer and header.
I am new on splunk side integration.

Can anyone give me his idea?

thank you in advance

0 Karma
Highlighted

Re: Splunk architecture feedback

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: Splunk architecture feedback

Contributor

First off, I am guessing you mean a Forwarder, Indexer and Search Head..

What are you looking for help with? Sizing for the VMs?

0 Karma
Highlighted

Re: Splunk architecture feedback

Ultra Champion

With Splunk you have two ways to approach the architecture, with a standalone Splunk instance or a distributed set-up. It's much simpler to start with the standalone one, so, that's probably your best choice to begin with.

0 Karma
Highlighted

Re: Splunk architecture feedback

SplunkTrust
SplunkTrust

The answer is going to depend on exactly what you are trying to do, you will need to meet the system requirements for Splunk

There are conference talks about sizing, for example from 2015
There is also the capacity planning documentation and the installation manual among many others. I built all my Splunk instances from reading the excellent documentation so that would be a good place to start...

The conf 2017 slides are not uploaded yet but there were a few talks about using docker instances to create Splunk test environments.
You could in your example build 1 Splunk indexer, 1 Splunk search head (distributed Splunk architecture) and your remaining server could be a Splunk heavy forwarder or just a universal forwarder.
Or you could just build a single Splunk instance which is indexer/search head and have just 1 server, it is going to depend on what you are attempting to do.

Alternatively you could look at building an indexer cluster which would require 1 server for cluster master and multiple indexers (or peer nodes).

0 Karma
Highlighted

Re: Splunk architecture feedback

Splunk Employee
Splunk Employee

Taking into account the info provided above regarding system requirements and architecture, if you want a search head, an indexer, and a forwarder, here are some notes that might help you get up and rolling quickly. I would recommend reading the docs on this as well so you understand it more deeply, but this will be sort of a quick start.

  • Install Indexers
  • Change default password on each Indexer (required for Search Head to connect)
  • Install Search Head
  • Install Licenses on Search Head (License Master)
  • Configure each Indexer as a License Slave
    • Settings > Licensing
    • Click Change to slave
    • Click Designate a different Splunk instance as the master license server radio button
    • Specify the IP/Hostname and Splunk management port (8089 by default)
    • Save
  • Establish connections from Search Head to all Search Peers. This is the key step.
    • Distributed search > Search peers > Add New
    • Specify the search peer, along with any authentication settings
    • Save
  • Install Universal Forwarders and configure to send to all Search Peers

    • Example Universal Forwarder outputs.conf
      [tcpout]
      defaultGroup = mysearchpeers

      [tcpout:mysearchpeers]
      server=10.10.10.1:9997,10.10.10.2:9997

      autoLB = true

  • Forward internal SH data to the indexer tier.

    • Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.
    • Set SH up to Forward to all Search Peers.
    • Example outputs.conf
    • Turn off indexing on the search head

      [indexAndForward]
      index = false

      [tcpout]
      defaultGroup = mysearchpeers
      forwardedindex.filter.disable = true
      indexAndForward = false

      [tcpout:mysearchpeers]
      server=10.10.10.1:9997,10.10.10.2:9997

      autoLB = true

View solution in original post

0 Karma