Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: knowledge bundle without a shared storage?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have one search head and one indexer. How can I use the Knowledge bundle without using a shared storage?
Thanks,
Maryam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I don't misunderstand you somehow what you're asking for is really the normal way to setup distributed search. Configure the indexer as a search peer to the search head, and the search head will automatically send the knowledge bundles the indexer needs when issuing searches. http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Configuredistributedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I don't misunderstand you somehow what you're asking for is really the normal way to setup distributed search. Configure the indexer as a search peer to the search head, and the search head will automatically send the knowledge bundles the indexer needs when issuing searches. http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Configuredistributedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am curious as to what has you thinking you need/want to do this? This is designed mostly for multiple indexers. True it is a performance consideration but with your configuration I don't know that it will gain you much improvments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Ayn said above, the Knowledge Bundle is a part of normal processing. It seems to me that you are considering Search Head pooling where the information the Search Heads send to the Indexers is made static and stored on a shared file system to which all Search Heads and Indexers can access and updated when there are changes made to these configs. More info at http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Configuresearchheadpooling. Know that there is a performance hit with this option; your milage may vary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, Just doing it for the future scalability purposes.So for one search head and one indexer I do not need to use the bundle?
another question is in future if I add more indexers how much work it would be to configure the Knowledge Bundle?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
