Can same server be SH , indexer and console for s...

Mad2 · ‎02-15-2024

need to install the splunk enterprise and wanted to make SH and indexer , universal forwarder same system , please advise

PickleRick · ‎02-16-2024

The only reason I can think of to try to do such thing would be to set up a small lab for learning Splunk in a bit more "distributed" setup than just an all-in-one server.

But in such case, I'd go for spinning up separate VMs and installing each component on a separate VM.

Also be prepared for a very very low performance.

gcusello · ‎02-15-2024

Hi @Mad2,

about Universal Forwarder, as @richgalloway said, you don't need it if you have a full Splunk instance, even if it's a lab installation.

About the opportunity to have Search Head, Indexer and Monitoring Console on the same server, it's possible if you have a stand alone Splunk Server , and to have it, you don't need to do nothing, only install Splunk.

If instead you have a distributed architecture, with more SHs and/or more indexers, it isn't possible: you must have dedicated systems for SHs and different dedicated systems for IDXs.

Monitoring Console could share the system with other roles, but not SHs, IDXs and Deployment Server (if you have to manage more than 50 clients).

Ciao.

Giuseppe

richgalloway · ‎02-15-2024

Don't install multiple instances of Splunk on the same server as that invites trouble. It can be done, but it requires and lot of customization.

There's no need to have a UF on the same server as a full instance of Splunk since the full instance can do everything a UF can do (and more).

---
If this reply helps you, Karma would be appreciated.

Can same server be SH , indexer and console for splunk enterprise

indexer

search head

universal forwarder

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel