Splunk Search

Setting up a search head and indexer on existing machine

chintan_shah
Path Finder

Hi All,

Currently I have a single instance which acts as indexers as well as search head. But i am planning to include another instance and make it as indexers and use the existing machine as search head.
Could anyone explain how can i achieve that and also how can i use the existing index data for searching as well.
Thanks

0 Karma
1 Solution

Steve_G_
Splunk Employee
Splunk Employee

This is what's known as a Splunk distributed search topology. See this topic, and the ones that directly follow it, for set-up information: http://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Overviewofconfiguration

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It would be easier to use the existing machine as Indexer (you won't have to migrate data to new server that way) and use new machine as search head. Just install Splunk on new search head, setup licensing and add existing server as search peer (http://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Configuredistributedsearch).

chintan_shah
Path Finder

Hi somesoni2,

If given a scenario where i have two instances ( a workstation with 4 core and another workstation with 8 core), which you will suggest to use for indexer and search head?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming you don't have search quota issue right now, I would go with 8 core box as Indexer.

0 Karma

chintan_shah
Path Finder

Hi @somesoni2,

I have various apps,lookups,schedule searches,reports , dashboards & config file changes. Should they be present at search head or indexer?

0 Karma

chintan_shah
Path Finder

Thanks Somesoni2, the issue is the current machine doesnt have high processing capacity (currently its 4 Core) and hence need to have new machine (8 Core) as indexer.

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

This is what's known as a Splunk distributed search topology. See this topic, and the ones that directly follow it, for set-up information: http://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Overviewofconfiguration

0 Karma

chintan_shah
Path Finder

Hi Steve G.
If given a scenario where i have two instances ( a workstation with 4 core and another workstation with 8 core), which you will suggest to use for indexer and search head?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...