Splunk Search

Can I search a search head from another search head?

vanderaj1
Path Finder

I think I already know the answer to this, but here goes:

I have a search head that can access my indexer as a search peer. I have another search head in a separate security group that cannot access my indexer as a search peer.

Could I connect the two search heads and then somehow search "through" the search heads to the indexer? In other words, could the search head that can't directly connect to the indexer query the indexer through the search head that can?

Thanks!

0 Karma
1 Solution

hexx
Splunk Employee
Splunk Employee

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

View solution in original post

hexx
Splunk Employee
Splunk Employee

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

vanderaj1
Path Finder

Thanks for responding! Yep, I thought that to be the case. I appreciate the confirmation -we'll go about this in another way on our end.

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you for some reason needed an intermediary you could probably use load balancer such as haproxy or nginx to forward port 8089 to the appropriate hosts in both directions. It's certainly nothing I've seen before however.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...