Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a standalone Splunk Enterprise server as a cluster search peer- Am I interpreting this correctly?

jkalbert
Explorer
‎10-12-2022 12:11 PM

I am planning a migration of Splunk Enterprise to a new instance. The old instance consists of a single standalone server. The new one has a search head, an indexer cluster master, and 3 indexer cluster peers.

My original plan was this:

  1. Add the old standalone server to the new search head as a search peer
  2. Instruct users to search from the new search head instead of the old standalone server
  3. Reconfigure my 300+ universal forwarders to send data to the new indexer cluster instead of the old standalone instance
  4. Retain the old standalone server for 1 year until we no longer need the data, then decommission it

But based on the following documentation, I would also need to deactivate the search role on the old standalone server before performing step 1.

https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/Configuredistributedsearch

Am I interpreting this correctly?

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 12:40 PM

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jkalbert
Explorer
‎10-12-2022 03:03 PM

Update: I was able to add the standalone Splunk Enterprise server as a search peer on the new search head without any issues. Search still functions on both the old and new servers.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 12:40 PM

Your plan looks good.  I see nothing in the cited document that requires you to "deactivate the search role".  Indexers can search, but only themselves and only if users are allowed to log in.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jkalbert
Explorer
‎10-12-2022 12:53 PM

Thank you for your reply. This is the section that has me worried:

Important: A search head cannot perform a dual function as a search peer. The only exception to this rule is for the monitoring console, which functions as a "search head of search heads."

Maybe I'm misinterpreting this, though.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2022 03:13 PM

I can see where that could be confusing.  Please submit feedback on the docs page so the team can fix it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...