Getting Data In

convert a stand-alone splunk instance to a dedicated indexer?

MarMoh
Path Finder

Hi All,

Currently there is just one stand alone splunk server running for the entire company, we decided to change the architecture and add a search head and use the existing server as a dedicated indexer. I want to know:
1.How can I do that (get the search component off of the existing server and make it a dedicated indexer)?
2.How to migrate the search configuration from the existing Splunk to the search head?

Thanks,
M

Tags (2)
0 Karma
1 Solution

okrabbe_splunk
Splunk Employee
Splunk Employee

You should read this whole section of the docs carefully:

About distributed search

The basic process is:

  1. Install a dedicated search head.
  2. copy any apps you have to the new search head. Remove any inputs that you have so you are not receiving or indexing on the new search head.
  3. enable distributed search on the search head.
  4. Add the old indexer as a search peer on the search head.
  5. search for something and look to see if you see the indexer in the splunk_server field

After that, it is up to you if you want to disable the web ui on the old indexer. It is also up to you if you want to organize your apps better so only the correct pieces are on the search head. This isn't strictly necessary because splunk will ignore settings that do not apply to the type of server but it is a best practice.

I would read this to help you understand how configurations work in a distributed deployment:

Where do I configure my splunk settings

View solution in original post

okrabbe_splunk
Splunk Employee
Splunk Employee

You should read this whole section of the docs carefully:

About distributed search

The basic process is:

  1. Install a dedicated search head.
  2. copy any apps you have to the new search head. Remove any inputs that you have so you are not receiving or indexing on the new search head.
  3. enable distributed search on the search head.
  4. Add the old indexer as a search peer on the search head.
  5. search for something and look to see if you see the indexer in the splunk_server field

After that, it is up to you if you want to disable the web ui on the old indexer. It is also up to you if you want to organize your apps better so only the correct pieces are on the search head. This isn't strictly necessary because splunk will ignore settings that do not apply to the type of server but it is a best practice.

I would read this to help you understand how configurations work in a distributed deployment:

Where do I configure my splunk settings

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!