Getting Data In

We would like to use a Linux search head with a Windows indexer cluster. Is there documentation on cross OS platforms compatibility?

gavsdavs_GR
Path Finder

https://answers.splunk.com/answers/24099/indexers-on-windows-and-linux-for-same-environment.html
http://docs.splunk.com/Documentation/Splunk/6.1/Installation/Systemrequirements#Supported_OSes

We would like to use a Linux search head talking to a Windows based indexer cluster (cluster master and peers).
I personally think this will work just fine, but I'd like to know what the formal stance from Splunk is on this subject.
We already have Linux Heavy Forwarder instances, but to date we have used only Windows search and indexing instances.

Is this okay with Splunk, and/or is there a document detailing the relevant guidance/restrictions ?

Steve_G_
Splunk Employee
Splunk Employee

All indexer cluster nodes, which includes the search heads, the peers (indexers), and the master node, must be running the same o.s. See:

http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/Systemrequirements#Summary_of_key_requirem...

gavsdavs_GR
Path Finder

If the CM, SH and Indexers must all be the same OS, how do we migrate from, say, windows indexers to linux indexers.
We cannot have a single SH searching both operating systems.
At some point we're going to have a cross-OS relationship (assuming a linux CM and peers is built alongside an existing windows CM and peers).
The SH is going to be one OS or the other.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Splunk is 100% compatible but ???NOT SUPPORTED??? from linux -> windows and windows -> linux.

As long as all the indexers/peers are the same OS, which is mentioned here: http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Systemrequirements

jkat54
SplunkTrust
SplunkTrust

Here is a windows peer node joined to a linux cluster:

alt text

jkat54
SplunkTrust
SplunkTrust

In both examples, i've used the Linux deployment server "jindexmaster" to deploy a forwarding application to both windows machines.

So again this can be done contrary to the documents. However, it is not supported.

0 Karma

gavsdavs_GR
Path Finder

Understood - I also thought it would work, but if not supported, some organisations aren't going to go ahead with it.

0 Karma

jkat54
SplunkTrust
SplunkTrust

The original question of can we have linux forwarders sending data to windows indexers: That perfectly acceptable and 100% supported. That's the question I originally answered. Ive since edited further although im pretty sure I had the correct answer.

Then you asked how to migrate from windows to linux for example, and I was able to show you that a windows search head works fine on a linux cluster but it's not documented to and therefore is unsupported.

As for documentation on what will happen if you have A B or C config... will B on linux lose XYZ capabilities... as far as I know there isnt much documentation on this.

I can tell you that only windows splunk servers can monitor powershell, Active Directory, and WMI inputs.

If you still believe I haven't answered your question, file a case for "the word" from splunk 😉 then you'll have it all official and what not. FWIW, I for one believe I've gone above and beyond, I even spent money to prove to you that it works with screenshots. Maybe you can give my comments some karma for the attempt to help... ? 😉

0 Karma

gavsdavs_GR
Path Finder

Some crossed wires here I think. I did not ask whether cross OS event forwarding works (I know it does, and is supported)

I have only asked about mixed OS infrastructure clusters (search/CMs/Peers) - which is mentioned in splunk docs, but only in the case where all infrastructure instances being the same OS as supported.

I want to use a linux search head to search a windows, multi site indexer cluster. That, it seems, is not supported, which you have demonstrated to work. Some organistions will not use unsupported configurations, even if it works.

Ultimately I want to replace a windows indexing cluster with a linux indexing cluster, but this migration is not possible whilst staying within the supported configuration - mixing OSs for SH/CM/Indexer instances is not supported.

I was sent to splunk answers to ask this question by a Splunk person in the UK - that 'answers was the place to ask this question'. It seems the formal answer is found by raising a support case.

I appreciate your help with demonstrating it, but i was always after a "is this supported" statement from splunk themselves - not from the community - hence my first response to you (are you a splunk person). Sometimes answers is not the best forum for questions/discussions.

0 Karma

jkat54
SplunkTrust
SplunkTrust

This is a windows search head joined to a linux cluster...

alt text

0 Karma

jkat54
SplunkTrust
SplunkTrust

This is a windows search head joined to a linux cluster...

alt text

0 Karma

jkat54
SplunkTrust
SplunkTrust

I see you voted on my answer @gavsdavs_GR. If this answered your question can you please "mark as answer" for us as well?

Thank in advance,
JKat54

0 Karma

gavsdavs_GR
Path Finder

JKat54 - are you a splunk person ? My organisation is seeking a statement from splunk itself, not a community member.

Your original posting said we could "mix operating systems within the same cluster." You then changed that to "all the peers must be the same OS"

To migrate to a different OS, we need to build a seperate new cluster, we cannot simply switch in cluster peers (which was the answer I hoped for as everything is just talking rest).

This page: http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Systemrequirements
Actually says:
Summary of key requirements
These are the main issues to note:

Each cluster node (master, peer, or search head) must reside on a separate Splunk Enterprise instance.
Each node instance must run the same Splunk Enterprise version.
Each node instance must run on a separate machine or virtual machine, and each machine must be running the same operating system.
All nodes must be connected over a network.
For example, to deploy a cluster consisting of three peers, one master, and one search head, you need five Splunk Enterprise instances running on five machines connected over a network. All instances must be at the same Splunk Enterprise version level (for example, 5.0.3). And all machines must be running the same operating system.

This states that all peers, CM and search heads must be the same operating system. This is in conflict with your statement (which says only the peers themselves need to be the same OS)

0 Karma

piebob
Splunk Employee
Splunk Employee

if you're looking for a statement from an official Splunk source, please file a support case.

0 Karma

dolivasoh
Contributor

Everything behind the scenes is REST. I can't imagine this would be any problem as you're talking to splunkd not the OS.

0 Karma

gavsdavs_GR
Path Finder

Yes I thought that too - but I would like to know if this is an acceptable, [Splunk] supported configuration.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...