Splunk Search

Two Search Heads One Indexer

Builder

I have two Splunk instances, a development and a test platform. Can I have them both pointing to the same indexer without having them interfere with each other? My administrator tells me that the etc\apps folders must be identical on both machines. That will never happen for obvious reasons. Currently the test platform is talking with an indexer while I use a second license to index the same data on my dev machine. This feels like duplicated effort and needless use of a second license. For reasons of security, the data is not forwarded but is manually downloaded on a daily basis.

Tags (3)
0 Karma
1 Solution

Legend

This is not true. Each search head has its own configurations, which can be completely different.

Perhaps your administrator is thinking of pooled search heads - which is not what you want to do.

View solution in original post

SplunkTrust
SplunkTrust

My assumption was that the test SH instance is for testing the apps you're developing in the DEV instance. I mean the apps to go to Test Search head.

0 Karma

Legend

This is not true. Each search head has its own configurations, which can be completely different.

Perhaps your administrator is thinking of pooled search heads - which is not what you want to do.

View solution in original post

Builder

You said, "by deploying the developed apps to test index"

My admin wants to know whether you mean indexer instead of "test indexer" We have one search head pointing to one indexer. My Dev is indexing its data.

0 Karma

Builder

Thanks, that's what I needed to know.

0 Karma

SplunkTrust
SplunkTrust

Yes...Indexers will store data that will be used by both the SH instances. How they want use it is defined by configurations in /etc/apps (apps) which can stay different.

0 Karma

Builder

So I can have apps on my dev box that will never be put into testing or production. After all dev is my sandbox. Only authorized apps get to test. I want to be clear that etc\apps will never be identical.

0 Karma

SplunkTrust
SplunkTrust

As long as you're just doing read operations of indexed data, you can use the same indexer for both instances. /etc/apps can be made identical by deploying the developed apps to test index (once testing is done).

0 Karma