Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Searching across multiple standalone indexers without data replication / indexer clustering

vinitatsky
Communicator
‎10-05-2016 07:38 AM

I have 6 different DCs with standalone Splunk ENT installed working as indexers and no replication for security reasons.

Need to configure a SH to search across different DCs? Is this a preferred solution?

Can I configure stand alone Splunk (working as SH and IDX in local) to index local data only and search across different DCs, if required?

Any possible suggestions please.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-05-2016 10:05 PM

Yes.
Best way is to install in each DC a Universal Forwarder that sends its logs to one or (better) more indexers, eventually clustered (if you need to maintain logs).
To search logs you can use an additional search head or (if clustered) one or more indexers.

Instead,if you want to store logs on the DC, you have to configure an additional Splunk configured as a Search Head that uses all the DC Splunks as Search peers.
To do this, install Splunk on a new machine and configure distributed search adding Search Peers:
[Settings -- Distributed Search -- Enable Distributed Search -- Add Search Peers] and restart Splunk.
Bye.
Giuseppe

0 Karma
Reply

mrybar
Explorer
‎10-05-2016 08:15 AM

Since you are looking for any and all suggestions, one might be to set each indexer up as a cluster of 1, then configure the search head to search across multiple indexer clusters this will work for multisite.

0 Karma
Reply

gwobben
Communicator
‎10-05-2016 07:59 AM

Sure you can, not really preferred though because if one indexer is down, you cannot search all of your data.

If you really want to you can:
- Settings
- Distributed search
- Search peers
- New
- Fill out the form
- Repeat for all the nodes

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...