Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I search a search head from another search head?

vanderaj1
Path Finder
‎09-12-2016 11:18 AM

I think I already know the answer to this, but here goes:

I have a search head that can access my indexer as a search peer. I have another search head in a separate security group that cannot access my indexer as a search peer.

Could I connect the two search heads and then somehow search "through" the search heads to the indexer? In other words, could the search head that can't directly connect to the indexer query the indexer through the search head that can?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-12-2016 11:27 AM

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-12-2016 11:27 AM

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

Reply
Solved! Jump to solution

vanderaj1
Path Finder
‎09-13-2016 08:24 AM

Thanks for responding! Yep, I thought that to be the case. I appreciate the confirmation -we'll go about this in another way on our end.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-12-2016 04:58 AM

If you for some reason needed an intermediary you could probably use load balancer such as haproxy or nginx to forward port 8089 to the appropriate hosts in both directions. It's certainly nothing I've seen before however.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...