Splunk Search

Two Search Heads One Indexer

kmattern
Builder

I have two Splunk instances, a development and a test platform. Can I have them both pointing to the same indexer without having them interfere with each other? My administrator tells me that the etc\apps folders must be identical on both machines. That will never happen for obvious reasons. Currently the test platform is talking with an indexer while I use a second license to index the same data on my dev machine. This feels like duplicated effort and needless use of a second license. For reasons of security, the data is not forwarded but is manually downloaded on a daily basis.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

This is not true. Each search head has its own configurations, which can be completely different.

Perhaps your administrator is thinking of pooled search heads - which is not what you want to do.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

My assumption was that the test SH instance is for testing the apps you're developing in the DEV instance. I mean the apps to go to Test Search head.

0 Karma

lguinn2
Legend

This is not true. Each search head has its own configurations, which can be completely different.

Perhaps your administrator is thinking of pooled search heads - which is not what you want to do.

kmattern
Builder

You said, "by deploying the developed apps to test index"

My admin wants to know whether you mean indexer instead of "test indexer" We have one search head pointing to one indexer. My Dev is indexing its data.

0 Karma

kmattern
Builder

Thanks, that's what I needed to know.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes...Indexers will store data that will be used by both the SH instances. How they want use it is defined by configurations in /etc/apps (apps) which can stay different.

0 Karma

kmattern
Builder

So I can have apps on my dev box that will never be put into testing or production. After all dev is my sandbox. Only authorized apps get to test. I want to be clear that etc\apps will never be identical.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

As long as you're just doing read operations of indexed data, you can use the same indexer for both instances. /etc/apps can be made identical by deploying the developed apps to test index (once testing is done).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...