Splunk Enterprise

Splunk Upgrade Requirement Clarification

R15
Path Finder

Hi, 

We're preparing to upgrade SE from 8 to 9 and have a question about this requirement:

For distributed deployments of any kind, confirm that all machines in the indexing tier satisfy the following conditions: 

  • ...
  • ...
  • They do not run their own saved searches

If our indexers are also search heads, would that violate this?

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

What you describe sounds like a non-standard installation.  If the indexers are replicating buckets to each other then that would be an indexer cluster, which should not also be operating as search heads.  With an indexer cluster, the search heads should be separate instances.

To answer your question, yes, I believe all of your saved searches present on the indexers would violate the condition.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Indexers should not also be search heads, unless you have a collection of standalone Splunk instances (which would be uncommon).

A standalone instance is not a distributed deployment so the listed conditions do not apply.

In a distributed deployment, search head and indexer instances are on separate machines and the SHs send search requests to the indexers for fulfillment.  If this is the case at your company and you also have the indexers acting as search heads then you must make sure the indexers do not have their own saved searches.

---
If this reply helps you, Karma would be appreciated.

R15
Path Finder

@richgalloway 
I'm new here and still trying to wrap my around this as I prepare to help upgrade and then later expand our setup. It's a very small deployment (for now), 2 indexers which are also search heads with replication between indexers. Would this mean ALL of our saved searches violate the above?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you describe sounds like a non-standard installation.  If the indexers are replicating buckets to each other then that would be an indexer cluster, which should not also be operating as search heads.  With an indexer cluster, the search heads should be separate instances.

To answer your question, yes, I believe all of your saved searches present on the indexers would violate the condition.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...