Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Configuration for Search Head, Indexer and Fowarder

gaurav_maniar
Builder
‎02-05-2017 05:37 AM

I have 3 systems, I want one system to work as Forwarder, one as Indexer and one as Search Head.
Setting up forwarder is fine, but to separate indexing and searching.
Means on the indexing system searching should not be available and on search system indexing should not be available.
How can I achieve this type of configuration?

Please let me know if you want more details.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-05-2017 08:09 AM

I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview

This configuration is a highly common, typical small Splunk configuration. You:

  1. Disable the web interface on the indexer
  2. Configure the search head to act as a search peer of the indexer
  3. Configure the search head to forward its _internal and other local logs to your indexer

This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-05-2017 08:09 AM

I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview

This configuration is a highly common, typical small Splunk configuration. You:

  1. Disable the web interface on the indexer
  2. Configure the search head to act as a search peer of the indexer
  3. Configure the search head to forward its _internal and other local logs to your indexer

This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).

0 Karma
Reply
Solved! Jump to solution

Simons20
Loves-to-Learn Lots
‎10-28-2020 04:13 AM

Does the search head and indexer must be deployed on different separate servers with different ip adresses? And doest it mean that i have to install splunk on those different servers?

What's the problem with having the indexer and searchhead deployed on 1 server?

 

0 Karma
Reply
Solved! Jump to solution

gaurav_maniar
Builder
‎02-05-2017 09:32 AM

hey @dwaddle thanks for the help. Actually I just completed power user certification and about to start with administration. Just one more query, after setting up the environment as you have mentioned if I link more forwarders to indexer I have to not worry about search head ???

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎02-05-2017 01:39 PM

correct. Search heads don't particularly care about how many forwarders are connected to the indexer. But, if you are going to add a bunch of forwarders, then you should be looking at adding a deployment server to your design.

0 Karma
Reply
Solved! Jump to solution

nasimm
New Member
‎05-09-2020 07:26 AM

we should install forwarder on search head?

0 Karma
Reply
Solved! Jump to solution

gaurav_maniar
Builder
‎02-05-2017 08:44 PM

Thanks Bro 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...