Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a standalone Splunk Enterprise server as a cluster search peer- Am I interpreting this correctly?

jkalbert
Explorer
‎10-12-2022 12:11 PM

I am planning a migration of Splunk Enterprise to a new instance. The old instance consists of a single standalone server. The new one has a search head, an indexer cluster master, and 3 indexer cluster peers.

My original plan was this:

  1. Add the old standalone server to the new search head as a search peer
  2. Instruct users to search from the new search head instead of the old standalone server
  3. Reconfigure my 300+ universal forwarders to send data to the new indexer cluster instead of the old standalone instance
  4. Retain the old standalone server for 1 year until we no longer need the data, then decommission it

But based on the following documentation, I would also need to deactivate the search role on the old standalone server before performing step 1.

https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/Configuredistributedsearch

Am I interpreting this correctly?

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 12:40 PM

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jkalbert
Explorer
‎10-12-2022 03:03 PM

Update: I was able to add the standalone Splunk Enterprise server as a search peer on the new search head without any issues. Search still functions on both the old and new servers.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 12:40 PM

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jkalbert
Explorer
‎10-12-2022 12:53 PM

Thank you for your reply. This is the section that has me worried:

Important: A search head cannot perform a dual function as a search peer. The only exception to this rule is for the monitoring console, which functions as a "search head of search heads."

Maybe I'm misinterpreting this, though.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 03:13 PM

I can see where that could be confusing.  Please submit feedback on the docs page so the team can fix it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...