Hi @antoniorp77,

as @PickleRick said, why do you want to do this?

apparently, there isn't any sense to this configuration because if you need of a system that concentrates logs or takes syslogs, you can use the same SH instance or one Indexer.

In addition, two instances require double resources: have hou 28 CPUs and 24 GB RAM on your Splunk server?

At least, if you have these resources and you want to have this non sense configuration, you can use different ports to access both the instances and they separately run: I tried (only in test!) to have different instances on the same server and correctly runned ussing diferent ports.

Ciao.

Giuseppe

Hi @gcusello thank you for your response.

I was trying to install two different instances on the same server because I am taking a Splunk course and that is how the teacher did it. However, he did not show how he did it. All I was able to see was that he had two different Splunk instances on the same browser, on the same VM with different IP addresses and different apps running on the same port (8000). He configured one of them to be a search head and the other one to be a heavy forwarder. From what you are telling me, I assume that I should configure the heavy forwarder on the same instance where I configured my search head?

Hi @PickleRick,

Thank you for explaining. It has worked now that I have installed the SH on one VM and the HF on another on another VM.

To avoid multiple VMs, you can also use Splunk in docker splunk/splunk - Docker Image | Docker Hub

To be fully honest, I could never grasp the idea behind dockerized splunk. In order to have persistent configuration and data (and splunk doesn't make sense otherwise) you still have to externalize the important stuff from the docker container so in fact you're simply pointlessly doing a deployment from scratch every time you launch your container.

I know that containers are "the thing" nowadays but they are relatively good for thin stateless services, not for a quite huge - in comparison - solution that splunk is.

@PickleRick

It does solve the problem, however one thing concerns me. If I have multiple VMs running on Kali Linux each of them will take at least 8GB to install. So do you know if there is a way to do this without consuming so much space? Considering that I will be only using the extra VMs just as Splunk instances.

Well, if it's a production environment, you have your minimal recommended component sizes and there's really no way around it (in fact 8GB for a production search-head is a very low-spec machine; you should have at least 16GB).

But if it's a lab one - well, you can try to install it on a lower-spec machine but be prepared that it might crash. The HF should not, however have that huge memory footprint since it shouldn't do very memory-intensive operations - it "just" parses the data and sends them out.