Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting up a search head and indexer on existing machine

chintan_shah
Path Finder
‎08-16-2017 11:24 AM

Hi All,

Currently I have a single instance which acts as indexers as well as search head. But i am planning to include another instance and make it as indexers and use the existing machine as search head.
Could anyone explain how can i achieve that and also how can i use the existing index data for searching as well.
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Steve_G_
Splunk Employee
Splunk Employee
‎08-16-2017 11:36 AM

This is what's known as a Splunk distributed search topology. See this topic, and the ones that directly follow it, for set-up information: http://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Overviewofconfiguration

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-16-2017 11:45 AM

It would be easier to use the existing machine as Indexer (you won't have to migrate data to new server that way) and use new machine as search head. Just install Splunk on new search head, setup licensing and add existing server as search peer (http://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Configuredistributedsearch).

Reply
Solved! Jump to solution

chintan_shah
Path Finder
‎08-16-2017 01:05 PM

Hi somesoni2,

If given a scenario where i have two instances ( a workstation with 4 core and another workstation with 8 core), which you will suggest to use for indexer and search head?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-16-2017 01:59 PM

Assuming you don't have search quota issue right now, I would go with 8 core box as Indexer.

0 Karma
Reply
Solved! Jump to solution

chintan_shah
Path Finder
‎09-15-2017 01:09 PM

Hi @somesoni2,

I have various apps,lookups,schedule searches,reports , dashboards & config file changes. Should they be present at search head or indexer?

0 Karma
Reply
Solved! Jump to solution

chintan_shah
Path Finder
‎08-16-2017 11:53 AM

Thanks Somesoni2, the issue is the current machine doesnt have high processing capacity (currently its 4 Core) and hence need to have new machine (8 Core) as indexer.

0 Karma
Reply
Solved! Jump to solution
Solution

Steve_G_
Splunk Employee
Splunk Employee
‎08-16-2017 11:36 AM

This is what's known as a Splunk distributed search topology. See this topic, and the ones that directly follow it, for set-up information: http://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Overviewofconfiguration

0 Karma
Reply
Solved! Jump to solution

chintan_shah
Path Finder
‎08-16-2017 01:09 PM

Hi Steve G.
If given a scenario where i have two instances ( a workstation with 4 core and another workstation with 8 core), which you will suggest to use for indexer and search head?

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...