Getting Data In

What CLI or configuration files changes are needed to enable a search head to talk to a remote indexer?

Explorer

I am going to install a search head and a indexer on different boxes, how to configure to enable them to talk to each other, any CLI or configuration file for it? Thanks

0 Karma

Esteemed Legend

It is not entirely necessary to do this through the GUI; you can manually configure a search peer as follows:

On your Search Head, get a copy of this file:

$SPLUNK_HOME/etc/auth/distServerKeys/trusted.pem

Also modify this file and add in the new Indexer (it might be in a different location so poke around):

$SPLUNK_HOME/etc/system/local/distsearch.conf

Also get the hostname of the Search Head with this command:

hostname

On your Indexer(s), go to this directory:

$SPLUNK_HOME/etc/auth/distServerKeys/

Create a directory there named with the name of your Search Head's hostname and put the trusted.pem file from the Search Head there.

P.S. This is copied from a related Q&A that I just answered:

https://answers.splunk.com/answers/514258/search-heads-authentication-credentials-rejected-b.html#an...

0 Karma