Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Turn off indexing on dedicated search head?

JBarkerMox
Explorer
‎09-14-2011 12:48 PM

Splunk Deployment Document Page 98 states:
6. Set up the authentication method you want to use on the search head, just as you would for any
other Splunk instance. Do not set up any indexing on your search head, since that will violate its
license.

Exactly how do you turn off indexing on the search head?

Tags (1)
0 Karma
Reply

JBarkerMox
Explorer
‎09-16-2011 06:55 AM

This did not work for me. Splunk started behaving badly when I tried.
I figured out if you enable forwarding before defining and inputs, especially on the local box, then the search head does not start indexing. One thing I did get from this, as a newbie, was to always restart Splunk afetr making changes!! Thanks.

0 Karma
Reply

splunkIT
Splunk Employee
Splunk Employee
‎05-29-2013 10:10 AM

Be very careful when considering enabling SplunkLightForwarder app on the search head, as it will disable scheduled searches, and other functionalities:

http://splunk-base.splunk.com/answers/89515/oh-crap-scheduled-searches-have-stopped-running-without-...

Reply

yannK
Splunk Employee
Splunk Employee
‎09-14-2011 02:18 PM

The best method to achieve this is to turn your search-head into a LightWeightforwarder (will forward any data, including summary indexes to the indexers)

they are 3 tricky steps :

  • 1 make sure that all the indexes existing on the search-head are defined on the indexers too (in particular the summary indexes)

  • 2 turn on the SplunklightForwarder app on the search-head (specify the splunktcp port of the indexer, or of the cluster if you have load balancing)
    BUT this will turn off the web interface (splunkweb)
    REMARK : using the regular forwarder will not prevent the search-head to parse the events
    locally before forwading them.

  • 3 turn on the web interface that was shut down
    edit $SPLUNK_HOME/etc/system/local/web.conf


    
[settings]
    
startwebserver = 1

    and restart to apply

Enjoy.

Reply

yannK
Splunk Employee
Splunk Employee
‎02-05-2013 11:25 AM

yes, probably.

0 Karma
Reply

bmacias84
Champion
‎02-05-2013 10:58 AM

@yannK, Does this still apply to 5.0.1

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...