Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I search a search head from another search head?

vanderaj1
Path Finder
‎09-12-2016 11:18 AM

I think I already know the answer to this, but here goes:

I have a search head that can access my indexer as a search peer. I have another search head in a separate security group that cannot access my indexer as a search peer.

Could I connect the two search heads and then somehow search "through" the search heads to the indexer? In other words, could the search head that can't directly connect to the indexer query the indexer through the search head that can?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-12-2016 11:27 AM

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-12-2016 11:27 AM

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

Reply
Solved! Jump to solution

vanderaj1
Path Finder
‎09-13-2016 08:24 AM

Thanks for responding! Yep, I thought that to be the case. I appreciate the confirmation -we'll go about this in another way on our end.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-12-2016 04:58 AM

If you for some reason needed an intermediary you could probably use load balancer such as haproxy or nginx to forward port 8089 to the appropriate hosts in both directions. It's certainly nothing I've seen before however.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...