Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk install as 2 tier architecture

przemyslawpiest
New Member
‎03-02-2017 01:04 AM

I would like to know is it possible to install splunk in two tier architecture. One server shoudl store all the logs (probably indexer), the other one should just search through these logs and display them to the client (search head). Is there any instruction how to install splunk in such architecture? One important factor: logs cannot be stored persistently in any way on presentation server - this is our security requirements.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2017 04:50 AM

Not only is a two-tier architecture possible, it's recommended for all but the smallest installations. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Distributedoverview

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

przemyslawpiest
New Member
‎03-02-2017 04:57 AM

If I understand right we need than 2 heavy forwarders installed and properly configure them sa one will be an indexer, the other search head. Am i right? Is there any documentation on how to configure this in such way?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2017 05:45 AM

You don't need any heavy forwarders. Install 2 separate instances of Splunk Enterprise. One will be the search head (SH) and license master; the other will be the indexer. Configure the indexer as a license slave pointing to the SH. On the SH, configure distributed search using the indexer as a search peer.

Relevant documentation is a bit scattered, but start with the Distributed Search manual at http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/Whatisdistributedsearch

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...