We would like to use a Linux search head talking to a Windows based indexer cluster (cluster master and peers).
I personally think this will work just fine, but I'd like to know what the formal stance from Splunk is on this subject.
We already have Linux Heavy Forwarder instances, but to date we have used only Windows search and indexing instances.
Is this okay with Splunk, and/or is there a document detailing the relevant guidance/restrictions ?
All indexer cluster nodes, which includes the search heads, the peers (indexers), and the master node, must be running the same o.s. See:
If the CM, SH and Indexers must all be the same OS, how do we migrate from, say, windows indexers to linux indexers.
We cannot have a single SH searching both operating systems.
At some point we're going to have a cross-OS relationship (assuming a linux CM and peers is built alongside an existing windows CM and peers).
The SH is going to be one OS or the other.
Splunk is 100% compatible but ???NOT SUPPORTED??? from linux -> windows and windows -> linux.
As long as all the indexers/peers are the same OS, which is mentioned here: http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Systemrequirements
In both examples, i've used the Linux deployment server "jindexmaster" to deploy a forwarding application to both windows machines.
So again this can be done contrary to the documents. However, it is not supported.
The original question of can we have linux forwarders sending data to windows indexers: That perfectly acceptable and 100% supported. That's the question I originally answered. Ive since edited further although im pretty sure I had the correct answer.
Then you asked how to migrate from windows to linux for example, and I was able to show you that a windows search head works fine on a linux cluster but it's not documented to and therefore is unsupported.
As for documentation on what will happen if you have A B or C config... will B on linux lose XYZ capabilities... as far as I know there isnt much documentation on this.
I can tell you that only windows splunk servers can monitor powershell, Active Directory, and WMI inputs.
If you still believe I haven't answered your question, file a case for "the word" from splunk 😉 then you'll have it all official and what not. FWIW, I for one believe I've gone above and beyond, I even spent money to prove to you that it works with screenshots. Maybe you can give my comments some karma for the attempt to help... ? 😉
Some crossed wires here I think. I did not ask whether cross OS event forwarding works (I know it does, and is supported)
I have only asked about mixed OS infrastructure clusters (search/CMs/Peers) - which is mentioned in splunk docs, but only in the case where all infrastructure instances being the same OS as supported.
I want to use a linux search head to search a windows, multi site indexer cluster. That, it seems, is not supported, which you have demonstrated to work. Some organistions will not use unsupported configurations, even if it works.
Ultimately I want to replace a windows indexing cluster with a linux indexing cluster, but this migration is not possible whilst staying within the supported configuration - mixing OSs for SH/CM/Indexer instances is not supported.
I was sent to splunk answers to ask this question by a Splunk person in the UK - that 'answers was the place to ask this question'. It seems the formal answer is found by raising a support case.
I appreciate your help with demonstrating it, but i was always after a "is this supported" statement from splunk themselves - not from the community - hence my first response to you (are you a splunk person). Sometimes answers is not the best forum for questions/discussions.
JKat54 - are you a splunk person ? My organisation is seeking a statement from splunk itself, not a community member.
Your original posting said we could "mix operating systems within the same cluster." You then changed that to "all the peers must be the same OS"
To migrate to a different OS, we need to build a seperate new cluster, we cannot simply switch in cluster peers (which was the answer I hoped for as everything is just talking rest).
This page: http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Systemrequirements
Summary of key requirements
These are the main issues to note:
Each cluster node (master, peer, or search head) must reside on a separate Splunk Enterprise instance.
Each node instance must run the same Splunk Enterprise version.
Each node instance must run on a separate machine or virtual machine, and each machine must be running the same operating system.
All nodes must be connected over a network.
For example, to deploy a cluster consisting of three peers, one master, and one search head, you need five Splunk Enterprise instances running on five machines connected over a network. All instances must be at the same Splunk Enterprise version level (for example, 5.0.3). And all machines must be running the same operating system.
This states that all peers, CM and search heads must be the same operating system. This is in conflict with your statement (which says only the peers themselves need to be the same OS)