Getting Data In

What CLI or configuration files changes are needed to enable a search head to talk to a remote indexer?

danielwan
Explorer

I am going to install a search head and a indexer on different boxes, how to configure to enable them to talk to each other, any CLI or configuration file for it? Thanks

0 Karma

woodcock
Esteemed Legend

It is not entirely necessary to do this through the GUI; you can manually configure a search peer as follows:

On your Search Head, get a copy of this file:

$SPLUNK_HOME/etc/auth/distServerKeys/trusted.pem

Also modify this file and add in the new Indexer (it might be in a different location so poke around):

$SPLUNK_HOME/etc/system/local/distsearch.conf

Also get the hostname of the Search Head with this command:

hostname

On your Indexer(s), go to this directory:

$SPLUNK_HOME/etc/auth/distServerKeys/

Create a directory there named with the name of your Search Head's hostname and put the trusted.pem file from the Search Head there.

P.S. This is copied from a related Q&A that I just answered:

https://answers.splunk.com/answers/514258/search-heads-authentication-credentials-rejected-b.html#an...

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!