Security

Is it possible to install Splunk Web on another server?

amemiya
New Member

Hi.

Is it possible to achieve the following configuration?
Please tell me how the way if possible.

Server # 1: "search-head" and "indexer"
Server # 2: "SplunkWeb"

License is Splunk Free.

0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

Just to pile on to what the others have been saying here. Splunk is not designed as a "3-tier" application, as you would think of coming from a J2EE world. You cannot run the "web tier" separate from the "application tier" and "database tier". It's just not architected that way.

Under a certain light, with a specific lens, distributed search starts to look sorta like a 2-tier application separating the web and app tiers from the database tier - but this is in my opinion a false analysis. Yes, in distributed search, the data is stored on the indexers, separately from the search heads. But, because Splunk uses Map-Reduce algorithms to coordinate work between the search heads and indexers, it cannot be said that the "business logic" is done on the search head tier and the "data storage" (and only the storage) is done on the indexing tier. The search heads and the indexers work together to run the "business logic" needed to perform a search.

As everyone else has noted, distributed search doesn't work on the Free license anyway, so it is somewhat moot for you personally.

Finally, as of Splunk 6.2, MUCH of the Splunkweb functionality was pulled entirely from Splunkweb and put into Splunkd. In Splunk 6.1, "splunkweb" listened directly on the HTTP 8000 port and processed ALL HTTP requests from browsers, proxying requests as-needed back to Splunkd on 8089. In 6.2, this was flipped around - the HTTP 8000 port is now listened to directly by Splunkd, and the "splunkweb" process has become a limited scope appserver for running what server-side python and such is required to render templates and so forth. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Webconf and the section for "appServerPorts"

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

Just to pile on to what the others have been saying here. Splunk is not designed as a "3-tier" application, as you would think of coming from a J2EE world. You cannot run the "web tier" separate from the "application tier" and "database tier". It's just not architected that way.

Under a certain light, with a specific lens, distributed search starts to look sorta like a 2-tier application separating the web and app tiers from the database tier - but this is in my opinion a false analysis. Yes, in distributed search, the data is stored on the indexers, separately from the search heads. But, because Splunk uses Map-Reduce algorithms to coordinate work between the search heads and indexers, it cannot be said that the "business logic" is done on the search head tier and the "data storage" (and only the storage) is done on the indexing tier. The search heads and the indexers work together to run the "business logic" needed to perform a search.

As everyone else has noted, distributed search doesn't work on the Free license anyway, so it is somewhat moot for you personally.

Finally, as of Splunk 6.2, MUCH of the Splunkweb functionality was pulled entirely from Splunkweb and put into Splunkd. In Splunk 6.1, "splunkweb" listened directly on the HTTP 8000 port and processed ALL HTTP requests from browsers, proxying requests as-needed back to Splunkd on 8089. In 6.2, this was flipped around - the HTTP 8000 port is now listened to directly by Splunkd, and the "splunkweb" process has become a limited scope appserver for running what server-side python and such is required to render templates and so forth. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Webconf and the section for "appServerPorts"

amemiya
New Member

Everyone. Thank you for a lot of answers

With the following settings,I was able to do what you want.
However, we were able in the case of "Splunk Enterprise License",
could not be the "Splunk Free License".

■Server#1: "search-head" and "indexer"

+++++++++++ web.conf +++++++++++
[settings]
startwebserver = 0
mgmtHostPort = 127.0.0.1:8089
++++++++++++++++++++++++++++++++

++++++++++ server.conf +++++++++
[kvstore]
disabled = false

[httpServer]
disableDefaultPort = true
++++++++++++++++++++++++++++++++

---> netstat -anp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 6632/splunkd
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 6632/splunkd
tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN 6645/mongod

■Server#2: "SplunkWeb"

+++++++++++ web.conf +++++++++++
[settings]
startwebserver = 1
httpport = 8000
mgmtHostPort = Server#1:8089
appServerPorts = 0
++++++++++++++++++++++++++++++++

++++++++++ server.conf +++++++++
[kvstore]
disabled = true
++++++++++++++++++++++++++++++++

---> netstat -anp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 4461/python

0 Karma

jkat54
SplunkTrust
SplunkTrust

No, it is not possible. Nor is it necessary. In any case, the UI just reads from the API. You can disable web, but you cant run just port 8000 on a different server.

What you could do is setup a proxy server like HAPROXY or NGINX, or a load balancer, and have it "handle" the web requests. But still splunk web will be running on the splunk server that's serving the proxy / NLB.

amemiya
New Member

jkat54. Thank you for a lot of answers
https://answers.splunk.com/comments/469520/view.html

0 Karma

jlanders
Path Finder

What you are thinking of is a search peer and distributed searching. Box A can be both an indexer and search-head while Box B is just a search head configured to look at Box A as a search peer.

Reference this doc: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Configuredistributedsearch
And this one: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata

However, that said, you will not be able to do this with a free license. Distributed search is one feature disabled...
Reference: https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html

amemiya
New Member

jlanders, esix [Splunk]. Thank you for a lot of answers
https://answers.splunk.com/comments/469520/view.html

0 Karma

amemiya
New Member

Thanks.
In obscure question, I'm sorry.

I want to separate the splunkweb from splunkd.
And, it does not think that's distributed search.
Such a configuration is possible?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You can disable the web interface.

jlanders
Path Finder

Yep, this is true. But it will still require distributed search functionality to set up a different splunk server to be the search head. That part won't be possible on the Free license.

jlanders
Path Finder

I don't think it's possible. The reality is that splunkweb is a minor process compared to splunkd. It's splunkd that actually handles everything. You'd likely have better luck looking into how you could proxy the web connection to give the appearance of separation.

Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...