Getting Data In

Is there an alternative to Splunk Free for a distributed search POC?

deepak02
Path Finder

Hi,

I am trying a POC on my personal PC where

  • Forwarder is on one machine (Linux)
  • Indexer + Search Head on another machine (Mac OS)

I am using Splunk Enterprise downloaded for free.

ISSUE: I am able to see the data on the indexer, but the Search Head is not connecting to the indexer. (Error: REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured).

QUESTION:
I read that Splunk Free does not provide Distributed Search. Is that the reason why my Search Head to Indexer connection is not working?

Which Splunk product (free or very cheap) should I use to implement the above architecture (three tier on two machines) ?

Thanks,
Deepak

0 Karma
1 Solution

lguinn2
Legend

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If you run search head and indexer on the same machine, there is no need for distributed search. The indexer IS the search head. Distributed search comes into play when you have 2+ indexers.
What are the success criteria for your PoC? Do you need to prove that distributed search works for your PoC to be successful?

0 Karma

lguinn2
Legend

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...