Getting Data In

Is it possible to run Splunk Light with 2 indexers and a search head?

dionmitchell
Engager

Hi all,

Like the title says, is it possible to run Splunk Light with 2 indexers and a search head? Or is this a Splunk enterprise only configuration?

Many thanks,

0 Karma
1 Solution

gvmorley
Contributor

Hi,

Looking at the comparison page on Splunk's site (https://www.splunk.com/en_us/products/splunk-light/splunk-light-vs-splunk-enterprise.html)

I'd say no.

What you're describing is called 'Distributed Search' and it doesn't look like this is supported in Splunk Light.

But, depending on your use-case, do you need multiple servers (Indexers & Search Heads)?

Splunk is pretty performant even running as a standalone server. If you haven't already, get one installed with either the Trial or Free license and see how you get on.

View solution in original post

0 Karma

gvmorley
Contributor

Hi,

Looking at the comparison page on Splunk's site (https://www.splunk.com/en_us/products/splunk-light/splunk-light-vs-splunk-enterprise.html)

I'd say no.

What you're describing is called 'Distributed Search' and it doesn't look like this is supported in Splunk Light.

But, depending on your use-case, do you need multiple servers (Indexers & Search Heads)?

Splunk is pretty performant even running as a standalone server. If you haven't already, get one installed with either the Trial or Free license and see how you get on.

0 Karma

dionmitchell
Engager

Thanks for the confirmations,

We have 2 datacenters, while they won't be indexing a lot of data, we want to avoid unnecessary intersite traffic, which is why we wanted 2 indexers with a searchhead.

Many thanks,

0 Karma

gvmorley
Contributor

Ah,

I can see where you're coming from.

I think in your position, I'd absolutely start with a single server set-up in one of your datacenters. Run it there as a PoC for a good few weeks with a variety of inputs.

Then you'll be able to see the volumes that you're getting for your different hosts & sources, etc over time. Use the very excellent built-in Monitoring Console to drill down into this info.

This will then give you a really good feel for the volume of data (intersite traffic) which you may get from similar feeds from your second datacenter.

That will then allow you to weight up the value of going with Enterprise (with Distributed Search) or Light. You never know, it may be more cost effective to up the bandwidth between your DCs!

Enjoy.

esix_splunk
Splunk Employee
Splunk Employee

This is correct, it is not possible. Distributed search is not a function in Splunk Light.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...