Solved: Is there a way to separate indexer and search head...

muradgh · ‎11-30-2022

Hi Splunkers

I currently have one Splunk machine that has two rules at once (a search head and an indexer) and I want to separate each rule from another with its own separate machine.

Is there a way to do such action? if so, what are the steps to do so?

Thanks.

gcusello · ‎11-30-2022

Hi @muradgh,

you have to:

install a new server with the correct hardware reference,
install Splunk on it,
configurate it to work with a Forwarder license,
forward all logs to the other server,
configure it as Searche Haed that uses the other server
use it for the searches.

for more information you can see at https://docs.splunk.com/Documentation/Splunk/9.0.2/DistSearch/Whatisdistributedsearch

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-30-2022

Hi @muradgh,

you have to:

install a new server with the correct hardware reference,
install Splunk on it,
configurate it to work with a Forwarder license,
forward all logs to the other server,
configure it as Searche Haed that uses the other server
use it for the searches.

for more information you can see at https://docs.splunk.com/Documentation/Splunk/9.0.2/DistSearch/Whatisdistributedsearch

Ciao.

Giuseppe

muradgh · ‎11-30-2022

Thank you @gcusello ^^

gcusello · ‎11-30-2022

Hi @muradgh,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Is there a way to separate indexer and search head apart?

Other

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout