Hi.
Is it possible to achieve the following configuration?
Please tell me how the way if possible.
Server # 1: "search-head" and "indexer"
Server # 2: "SplunkWeb"
License is Splunk Free.
Just to pile on to what the others have been saying here. Splunk is not designed as a "3-tier" application, as you would think of coming from a J2EE world. You cannot run the "web tier" separate from the "application tier" and "database tier". It's just not architected that way.
Under a certain light, with a specific lens, distributed search starts to look sorta like a 2-tier application separating the web and app tiers from the database tier - but this is in my opinion a false analysis. Yes, in distributed search, the data is stored on the indexers, separately from the search heads. But, because Splunk uses Map-Reduce algorithms to coordinate work between the search heads and indexers, it cannot be said that the "business logic" is done on the search head tier and the "data storage" (and only the storage) is done on the indexing tier. The search heads and the indexers work together to run the "business logic" needed to perform a search.
As everyone else has noted, distributed search doesn't work on the Free license anyway, so it is somewhat moot for you personally.
Finally, as of Splunk 6.2, MUCH of the Splunkweb functionality was pulled entirely from Splunkweb and put into Splunkd. In Splunk 6.1, "splunkweb" listened directly on the HTTP 8000 port and processed ALL HTTP requests from browsers, proxying requests as-needed back to Splunkd on 8089. In 6.2, this was flipped around - the HTTP 8000 port is now listened to directly by Splunkd, and the "splunkweb" process has become a limited scope appserver for running what server-side python and such is required to render templates and so forth. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Webconf and the section for "appServerPorts"
Just to pile on to what the others have been saying here. Splunk is not designed as a "3-tier" application, as you would think of coming from a J2EE world. You cannot run the "web tier" separate from the "application tier" and "database tier". It's just not architected that way.
Under a certain light, with a specific lens, distributed search starts to look sorta like a 2-tier application separating the web and app tiers from the database tier - but this is in my opinion a false analysis. Yes, in distributed search, the data is stored on the indexers, separately from the search heads. But, because Splunk uses Map-Reduce algorithms to coordinate work between the search heads and indexers, it cannot be said that the "business logic" is done on the search head tier and the "data storage" (and only the storage) is done on the indexing tier. The search heads and the indexers work together to run the "business logic" needed to perform a search.
As everyone else has noted, distributed search doesn't work on the Free license anyway, so it is somewhat moot for you personally.
Finally, as of Splunk 6.2, MUCH of the Splunkweb functionality was pulled entirely from Splunkweb and put into Splunkd. In Splunk 6.1, "splunkweb" listened directly on the HTTP 8000 port and processed ALL HTTP requests from browsers, proxying requests as-needed back to Splunkd on 8089. In 6.2, this was flipped around - the HTTP 8000 port is now listened to directly by Splunkd, and the "splunkweb" process has become a limited scope appserver for running what server-side python and such is required to render templates and so forth. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Webconf and the section for "appServerPorts"
Everyone. Thank you for a lot of answers
With the following settings,I was able to do what you want.
However, we were able in the case of "Splunk Enterprise License",
could not be the "Splunk Free License".
■Server#1: "search-head" and "indexer"
+++++++++++ web.conf +++++++++++
[settings]
startwebserver = 0
mgmtHostPort = 127.0.0.1:8089
++++++++++++++++++++++++++++++++
++++++++++ server.conf +++++++++
[kvstore]
disabled = false
[httpServer]
disableDefaultPort = true
++++++++++++++++++++++++++++++++
---> netstat -anp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 6632/splunkd
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 6632/splunkd
tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN 6645/mongod
■Server#2: "SplunkWeb"
+++++++++++ web.conf +++++++++++
[settings]
startwebserver = 1
httpport = 8000
mgmtHostPort = Server#1:8089
appServerPorts = 0
++++++++++++++++++++++++++++++++
++++++++++ server.conf +++++++++
[kvstore]
disabled = true
++++++++++++++++++++++++++++++++
---> netstat -anp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 4461/python
No, it is not possible. Nor is it necessary. In any case, the UI just reads from the API. You can disable web, but you cant run just port 8000 on a different server.
What you could do is setup a proxy server like HAPROXY or NGINX, or a load balancer, and have it "handle" the web requests. But still splunk web will be running on the splunk server that's serving the proxy / NLB.
jkat54. Thank you for a lot of answers
https://answers.splunk.com/comments/469520/view.html
What you are thinking of is a search peer and distributed searching. Box A can be both an indexer and search-head while Box B is just a search head configured to look at Box A as a search peer.
Reference this doc: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Configuredistributedsearch
And this one: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata
However, that said, you will not be able to do this with a free license. Distributed search is one feature disabled...
Reference: https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html
jlanders, esix [Splunk]. Thank you for a lot of answers
https://answers.splunk.com/comments/469520/view.html
Thanks.
In obscure question, I'm sorry.
I want to separate the splunkweb from splunkd.
And, it does not think that's distributed search.
Such a configuration is possible?
You can disable the web interface.
Yep, this is true. But it will still require distributed search functionality to set up a different splunk server to be the search head. That part won't be possible on the Free license.
I don't think it's possible. The reality is that splunkweb is a minor process compared to splunkd. It's splunkd that actually handles everything. You'd likely have better luck looking into how you could proxy the web connection to give the appearance of separation.