Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a standalone Splunk Enterprise server as a cluster search peer- Am I interpreting this correctly?

jkalbert
Explorer
‎10-12-2022 12:11 PM

I am planning a migration of Splunk Enterprise to a new instance. The old instance consists of a single standalone server. The new one has a search head, an indexer cluster master, and 3 indexer cluster peers.

My original plan was this:

  1. Add the old standalone server to the new search head as a search peer
  2. Instruct users to search from the new search head instead of the old standalone server
  3. Reconfigure my 300+ universal forwarders to send data to the new indexer cluster instead of the old standalone instance
  4. Retain the old standalone server for 1 year until we no longer need the data, then decommission it

But based on the following documentation, I would also need to deactivate the search role on the old standalone server before performing step 1.

https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/Configuredistributedsearch

Am I interpreting this correctly?

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 12:40 PM

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jkalbert
Explorer
‎10-12-2022 03:03 PM

Update: I was able to add the standalone Splunk Enterprise server as a search peer on the new search head without any issues. Search still functions on both the old and new servers.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 12:40 PM

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jkalbert
Explorer
‎10-12-2022 12:53 PM

Thank you for your reply. This is the section that has me worried:

Important: A search head cannot perform a dual function as a search peer. The only exception to this rule is for the monitoring console, which functions as a "search head of search heads."

Maybe I'm misinterpreting this, though.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 03:13 PM

I can see where that could be confusing.  Please submit feedback on the docs page so the team can fix it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...