- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Two Search Heads One Indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two Splunk instances, a development and a test platform. Can I have them both pointing to the same indexer without having them interfere with each other? My administrator tells me that the etc\apps folders must be identical on both machines. That will never happen for obvious reasons. Currently the test platform is talking with an indexer while I use a second license to index the same data on my dev machine. This feels like duplicated effort and needless use of a second license. For reasons of security, the data is not forwarded but is manually downloaded on a daily basis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not true. Each search head has its own configurations, which can be completely different.
Perhaps your administrator is thinking of pooled search heads - which is not what you want to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My assumption was that the test SH instance is for testing the apps you're developing in the DEV instance. I mean the apps to go to Test Search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not true. Each search head has its own configurations, which can be completely different.
Perhaps your administrator is thinking of pooled search heads - which is not what you want to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You said, "by deploying the developed apps to test index"
My admin wants to know whether you mean indexer instead of "test indexer" We have one search head pointing to one indexer. My Dev is indexing its data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that's what I needed to know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes...Indexers will store data that will be used by both the SH instances. How they want use it is defined by configurations in /etc/apps (apps) which can stay different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I can have apps on my dev box that will never be put into testing or production. After all dev is my sandbox. Only authorized apps get to test. I want to be clear that etc\apps will never be identical.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as you're just doing read operations of indexed data, you can use the same indexer for both instances. /etc/apps can be made identical by deploying the developed apps to test index (once testing is done).
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
