Splunk Enterprise

Adding a standalone Splunk Enterprise server as a cluster search peer- Am I interpreting this correctly?

jkalbert
Explorer

I am planning a migration of Splunk Enterprise to a new instance. The old instance consists of a single standalone server. The new one has a search head, an indexer cluster master, and 3 indexer cluster peers.

My original plan was this:

  1. Add the old standalone server to the new search head as a search peer
  2. Instruct users to search from the new search head instead of the old standalone server
  3. Reconfigure my 300+ universal forwarders to send data to the new indexer cluster instead of the old standalone instance
  4. Retain the old standalone server for 1 year until we no longer need the data, then decommission it

But based on the following documentation, I would also need to deactivate the search role on the old standalone server before performing step 1.

https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/Configuredistributedsearch

Am I interpreting this correctly?

Thanks in advance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

jkalbert
Explorer

Update: I was able to add the standalone Splunk Enterprise server as a search peer on the new search head without any issues. Search still functions on both the old and new servers.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.

jkalbert
Explorer

Thank you for your reply. This is the section that has me worried:

Important: A search head cannot perform a dual function as a search peer. The only exception to this rule is for the monitoring console, which functions as a "search head of search heads."

Maybe I'm misinterpreting this, though.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I can see where that could be confusing.  Please submit feedback on the docs page so the team can fix it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...