Splunk Search

How to configure the search head for distributed search with one search head, one indexer, and no cluster?

JoelCBennett
Engager

I am setting up a green-field Splunk environment with one search head and one indexer, which we would like to separate out for performance reasons. There is no indexing cluster needed (at least at this time). How do I configure the search head? I can set up a search peer which can successfully query the indexer server, however, I suspect that the indexer server may actually be performing the search.

0 Karma

domenico_perre
Path Finder

Hi Joel,

Just my opinion but setup a cluster now. Everyone correct me if I'm wrong. But once you have a single instance node you cant import the data into a cluster. So if your splunk requirements grow you wont have the flexibility.

0 Karma

JoelCBennett
Engager

Hey guys. I did peruse the documentation prior to submitting the question, and typically it discusses configuration in the context of setting up clustered roles (which I am not doing...at least currently).

@Mus, I do not want the indexer processing the searches (if possible), as that machine is not processor intensive. The search head, however, is stacked with procs so I want to perform the searches there (if possible).

@woodcock, I had set up the search peers in the manner you described, which works, but those searches are hitting the indexer in the peer role (I think).

Is what I am after achievable?

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes it is achievable, keep everything on one big box - but this is not what you asked for....

0 Karma

woodcock
Esteemed Legend

I don't understand what you mean but if the Search peers screen shows Replication status is successful and Status is Up then it is all good. Also, the Indexer absolutely MUST "perform the searches" because he is the one that has the data. If you mean you would not like to have people login to the Indexer to perform the searches there, then I agree; have them login to the Search Head now that it is peered to the Indexer.

0 Karma

JoelCBennett
Engager

@woodcock Sounds like what I am after is not achievable. Was led to believe (by our splunk rep) that you could split out the searching from the indexing. If any search always hits the indexer with the search processing, then unsure what benefit I would get unless I was clustering.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

The benefit of what you are asking for is one of easy scalability. Set it up now with the expectation of growth. Separate search head and indexers. You might not notice a performance increase now (vs one big box as @MuS commented ) but once you start expanding it will be much easier if they are already loosely coupled.

woodcock
Esteemed Legend

What in the world are your motivations and what exactly are you trying to achieve? You seem to be saying something analogous to "How do I spell 'Splunk' but without using any letters?" which is, obviously, utterly nonsensical.

0 Karma

woodcock
Esteemed Legend

As @MuS said, read the dox first but if you still don't get it, and this is really all you need to do, it is fairly trivial. Just logon to your Search Head as a user with admin privileges and go to Settings -> Distributed Search -> Search peers -> New and enter Your.DottedQuad.IP.Address:8089 along with the Login ID and Password of a user with admin privileges on your Indexer and click save. Done!

0 Karma

JoelCBennett
Engager

@woodcock I set up search peers just fine. If you search against one splunk server in that scenario, does it use resources from the search peer? Or is the 'heavy lifting' done only on the server you are searching on?

0 Karma

woodcock
Esteemed Legend

The heavy lifting is done by the Indexers; it has to be that way because that is where the data is! The Search Head does the "map" part of the map-reduce job and the Indexer does the "reduced" part (the heavy lifting). The results are sent back to the Search Head to be integrated (if there is more than 1 Indexer) and presented to the user.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi JoelCBennett,

See the docs to set up a search head http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Whatisdistributedsearch
Yes, the indexer will perform the actual search and the search head then merges the results back to the user (If you would have multiple indexers or search peers).

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...