Security
Highlighted

Is it possible to install Splunk Web on another server?

New Member

Hi.

Is it possible to achieve the following configuration?
Please tell me how the way if possible.

Server # 1: "search-head" and "indexer"
Server # 2: "SplunkWeb"

License is Splunk Free.

0 Karma
Highlighted

Re: Is it possible to install Splunk Web on another server?

Path Finder

What you are thinking of is a search peer and distributed searching. Box A can be both an indexer and search-head while Box B is just a search head configured to look at Box A as a search peer.

Reference this doc: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Configuredistributedsearch
And this one: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata

However, that said, you will not be able to do this with a free license. Distributed search is one feature disabled...
Reference: https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html

Highlighted

Re: Is it possible to install Splunk Web on another server?

New Member

Thanks.
In obscure question, I'm sorry.

I want to separate the splunkweb from splunkd.
And, it does not think that's distributed search.
Such a configuration is possible?

0 Karma
Highlighted

Re: Is it possible to install Splunk Web on another server?

Path Finder

I don't think it's possible. The reality is that splunkweb is a minor process compared to splunkd. It's splunkd that actually handles everything. You'd likely have better luck looking into how you could proxy the web connection to give the appearance of separation.

Highlighted

Re: Is it possible to install Splunk Web on another server?

Splunk Employee
Splunk Employee

You can disable the web interface.

Highlighted

Re: Is it possible to install Splunk Web on another server?

Path Finder

Yep, this is true. But it will still require distributed search functionality to set up a different splunk server to be the search head. That part won't be possible on the Free license.

Highlighted

Re: Is it possible to install Splunk Web on another server?

New Member

jlanders, esix [Splunk]. Thank you for a lot of answers
https://answers.splunk.com/comments/469520/view.html

0 Karma
Highlighted

Re: Is it possible to install Splunk Web on another server?

SplunkTrust
SplunkTrust

No, it is not possible. Nor is it necessary. In any case, the UI just reads from the API. You can disable web, but you cant run just port 8000 on a different server.

What you could do is setup a proxy server like HAPROXY or NGINX, or a load balancer, and have it "handle" the web requests. But still splunk web will be running on the splunk server that's serving the proxy / NLB.

Highlighted

Re: Is it possible to install Splunk Web on another server?

New Member

jkat54. Thank you for a lot of answers
https://answers.splunk.com/comments/469520/view.html

0 Karma
Highlighted

Re: Is it possible to install Splunk Web on another server?

SplunkTrust
SplunkTrust

Just to pile on to what the others have been saying here. Splunk is not designed as a "3-tier" application, as you would think of coming from a J2EE world. You cannot run the "web tier" separate from the "application tier" and "database tier". It's just not architected that way.

Under a certain light, with a specific lens, distributed search starts to look sorta like a 2-tier application separating the web and app tiers from the database tier - but this is in my opinion a false analysis. Yes, in distributed search, the data is stored on the indexers, separately from the search heads. But, because Splunk uses Map-Reduce algorithms to coordinate work between the search heads and indexers, it cannot be said that the "business logic" is done on the search head tier and the "data storage" (and only the storage) is done on the indexing tier. The search heads and the indexers work together to run the "business logic" needed to perform a search.

As everyone else has noted, distributed search doesn't work on the Free license anyway, so it is somewhat moot for you personally.

Finally, as of Splunk 6.2, MUCH of the Splunkweb functionality was pulled entirely from Splunkweb and put into Splunkd. In Splunk 6.1, "splunkweb" listened directly on the HTTP 8000 port and processed ALL HTTP requests from browsers, proxying requests as-needed back to Splunkd on 8089. In 6.2, this was flipped around - the HTTP 8000 port is now listened to directly by Splunkd, and the "splunkweb" process has become a limited scope appserver for running what server-side python and such is required to render templates and so forth. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Webconf and the section for "appServerPorts"

View solution in original post