Getting Data In

Is there an alternative to Splunk Free for a distributed search POC?

deepak02
Path Finder

Hi,

I am trying a POC on my personal PC where

  • Forwarder is on one machine (Linux)
  • Indexer + Search Head on another machine (Mac OS)

I am using Splunk Enterprise downloaded for free.

ISSUE: I am able to see the data on the indexer, but the Search Head is not connecting to the indexer. (Error: REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured).

QUESTION:
I read that Splunk Free does not provide Distributed Search. Is that the reason why my Search Head to Indexer connection is not working?

Which Splunk product (free or very cheap) should I use to implement the above architecture (three tier on two machines) ?

Thanks,
Deepak

0 Karma
1 Solution

lguinn2
Legend

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If you run search head and indexer on the same machine, there is no need for distributed search. The indexer IS the search head. Distributed search comes into play when you have 2+ indexers.
What are the success criteria for your PoC? Do you need to prove that distributed search works for your PoC to be successful?

0 Karma

lguinn2
Legend

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...