I am setting up a green-field Splunk environment with one search head and one indexer, which we would like to separate out for performance reasons. There is no indexing cluster needed (at least at this time). How do I configure the search head? I can set up a search peer which can successfully query the indexer server, however, I suspect that the indexer server may actually be performing the search.
Just my opinion but setup a cluster now. Everyone correct me if I'm wrong. But once you have a single instance node you cant import the data into a cluster. So if your splunk requirements grow you wont have the flexibility.
Hey guys. I did peruse the documentation prior to submitting the question, and typically it discusses configuration in the context of setting up clustered roles (which I am not doing...at least currently).
@Mus, I do not want the indexer processing the searches (if possible), as that machine is not processor intensive. The search head, however, is stacked with procs so I want to perform the searches there (if possible).
@woodcock, I had set up the search peers in the manner you described, which works, but those searches are hitting the indexer in the peer role (I think).
Is what I am after achievable?
I don't understand what you mean but if the
Search peers screen shows
Replication status is
Up then it is all good. Also, the Indexer absolutely MUST "perform the searches" because he is the one that has the data. If you mean you would not like to have people login to the Indexer to perform the searches there, then I agree; have them login to the Search Head now that it is peered to the Indexer.
@woodcock Sounds like what I am after is not achievable. Was led to believe (by our splunk rep) that you could split out the searching from the indexing. If any search always hits the indexer with the search processing, then unsure what benefit I would get unless I was clustering.
The benefit of what you are asking for is one of easy scalability. Set it up now with the expectation of growth. Separate search head and indexers. You might not notice a performance increase now (vs one big box as @MuS commented ) but once you start expanding it will be much easier if they are already loosely coupled.
What in the world are your motivations and what exactly are you trying to achieve? You seem to be saying something analogous to "How do I spell 'Splunk' but without using any letters?" which is, obviously, utterly nonsensical.
As @MuS said, read the dox first but if you still don't get it, and this is really all you need to do, it is fairly trivial. Just logon to your Search Head as a user with
admin privileges and go to
Distributed Search ->
Search peers ->
New and enter
Your.DottedQuad.IP.Address:8089 along with the
Login ID and
Password of a user with
admin privileges on your Indexer and click save. Done!
@woodcock I set up search peers just fine. If you search against one splunk server in that scenario, does it use resources from the search peer? Or is the 'heavy lifting' done only on the server you are searching on?
The heavy lifting is done by the Indexers; it has to be that way because that is where the data is! The Search Head does the "map" part of the map-reduce job and the Indexer does the "reduced" part (the heavy lifting). The results are sent back to the Search Head to be integrated (if there is more than 1 Indexer) and presented to the user.
See the docs to set up a search head http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Whatisdistributedsearch
Yes, the indexer will perform the actual search and the search head then merges the results back to the user (If you would have multiple indexers or search peers).
Hope this helps ...