Getting Data In

Can a Search Head be an Indexer as well in a distributed search environment?

psutton_et
Explorer

I have 2 Splunk Test Servers. I had one as an indexer and one as the search Head. But, we are needing to restore a single index=restoredb from our production instance to this test env. We have 2 indexers in our Production servers, so I have made both Test Servers indexers with one of those 2 being a search head still. I'm a little confused how to setup distributed searching? When I try and add the search head/indexer it says 'Duplicate Servername'. I'm not sure if this means that the search will automatically look on the search head and then the other indexer?

Our Production Indexers are not clustered. So the data from both needs to be restored to different place to look at all the data.

0 Karma
1 Solution

jdunlea
Contributor

Quick answer: Yes, in a distributed environment you can have one of your machines be a search head and an indexer while the other machine is just an indexer.

You do not need to add the search head as a distributed indexer of itself as it will automatically look at the indexes within itself by default. Just ensure that the index you are copying is created on both test servers and then drop the data into that index on each server. The search head will then search its own indexes and also the indexes of the distributed indexer. (Remember that you may need to fiddle with user account permissions to search that index, but this may not be required if you have not changed much from the default set up.)

As a side note:The data from two indexers actually does not need to be restored to two different places (presuming you are running version 5 or higher). You can drop all of the buckets from the index on both indexers into the same index on ONE indexer, but you just need to ensure that the bucket ids (the number after the last underscore in the bucket name) don't collide. These need to be unique.

Hope this helps!

View solution in original post

ppablo
Retired

Hi @psutton_et

You can set up a search head as a search peer as stated here in documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Overviewofconfiguration#Deploy_non-dedi...

You would need to just add the other indexer server as a search peer to the dual-purpose search head/indexer server:
http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Configuredistributedsearch

Have you tested any searches to see if they return any data specifically from the dual search head/indexer?

0 Karma

jdunlea
Contributor

Quick answer: Yes, in a distributed environment you can have one of your machines be a search head and an indexer while the other machine is just an indexer.

You do not need to add the search head as a distributed indexer of itself as it will automatically look at the indexes within itself by default. Just ensure that the index you are copying is created on both test servers and then drop the data into that index on each server. The search head will then search its own indexes and also the indexes of the distributed indexer. (Remember that you may need to fiddle with user account permissions to search that index, but this may not be required if you have not changed much from the default set up.)

As a side note:The data from two indexers actually does not need to be restored to two different places (presuming you are running version 5 or higher). You can drop all of the buckets from the index on both indexers into the same index on ONE indexer, but you just need to ensure that the bucket ids (the number after the last underscore in the bucket name) don't collide. These need to be unique.

Hope this helps!

psutton_et
Explorer

Thanks for the response. We did restore the just an individual index on the 2 test servers and we were able to restore the data we needed.

psutton_et
Explorer

We are still waiting for the restores to complete. As soon as they do, I will try.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...