Splunk Search

Can I search a search head from another search head?

Path Finder

I think I already know the answer to this, but here goes:

I have a search head that can access my indexer as a search peer. I have another search head in a separate security group that cannot access my indexer as a search peer.

Could I connect the two search heads and then somehow search "through" the search heads to the indexer? In other words, could the search head that can't directly connect to the indexer query the indexer through the search head that can?

Thanks!

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

View solution in original post

Splunk Employee
Splunk Employee

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

View solution in original post

Path Finder

Thanks for responding! Yep, I thought that to be the case. I appreciate the confirmation -we'll go about this in another way on our end.

0 Karma

SplunkTrust
SplunkTrust

If you for some reason needed an intermediary you could probably use load balancer such as haproxy or nginx to forward port 8089 to the appropriate hosts in both directions. It's certainly nothing I've seen before however.

0 Karma