Re: Splunk install as 2 tier architecture

przemyslawpiest · ‎03-02-2017

I would like to know is it possible to install splunk in two tier architecture. One server shoudl store all the logs (probably indexer), the other one should just search through these logs and display them to the client (search head). Is there any instruction how to install splunk in such architecture? One important factor: logs cannot be stored persistently in any way on presentation server - this is our security requirements.

richgalloway · ‎03-02-2017

Not only is a two-tier architecture possible, it's recommended for all but the smallest installations. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Distributedoverview

---
If this reply helps you, Karma would be appreciated.

przemyslawpiest · ‎03-02-2017

If I understand right we need than 2 heavy forwarders installed and properly configure them sa one will be an indexer, the other search head. Am i right? Is there any documentation on how to configure this in such way?

richgalloway · ‎03-02-2017

You don't need any heavy forwarders. Install 2 separate instances of Splunk Enterprise. One will be the search head (SH) and license master; the other will be the indexer. Configure the indexer as a license slave pointing to the SH. On the SH, configure distributed search using the indexer as a search peer.

Relevant documentation is a bit scattered, but start with the Distributed Search manual at http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/Whatisdistributedsearch

---
If this reply helps you, Karma would be appreciated.

Splunk install as 2 tier architecture

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!