@SplunkExplorer wrote: Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security. As usual when I put a question here, let me share a minimal of context and assumption. Environment: A completely on prem Splunk Enterprise (no Slunk Cloud SaaS). Currently, only one SH Clustered indexers Task: Install and configure a SH with Splunk Enterprise Security. Assumption: I know the full installation procedure (doc + Splunk Enterprise Admin course) I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI: > splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret> Questions: This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those". SH with ES component should be add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES? @SplunkExplorer wrote: Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security. As usual when I put a question here, let me share a minimal of context and assumption. Environment: A completely on prem Splunk Enterprise (no Slunk Cloud SaaS). Currently, only one SH Clustered indexers Task: Install and configure a SH with Splunk Enterprise Security. Assumption: I know the full installation procedure (doc + Splunk Enterprise Admin course) I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI: > splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret> Questions: This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those". SH with ES component should be add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES? Check DM.
... View more