Deployment Architecture

Given two standalone Splunk environments, can I point one instance to search the other instance in addition to its own instance?

carlkennedy
Path Finder

I am working with two Splunk standalone environments where each environment is a single server that acts as search head and indexer. Users currently have to log into both environments to run reports. They want to only log into one server and run a combined report. I understand that the optimal solution is to have one environment but this is not currently possible. Can I update the distributed search settings in System A to search both itself and also System B? Looking at the docs for distributed search I see this line:

Important: A search head cannot perform a dual function as a search peer.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can add Standalone box B as search peer to Standalone box A. Again, it's not recommended that you have an indexer also work as search head (system B here) as it will increase load on that servers. Temporary this could work, but long term and to have robust SPlunk deployment, I would consider you reading these resources and re-architect your environment(s).

https://conf.splunk.com/session/2014/conf2014_KarandeepBains_Splunk_Deploying.pdf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Referencehardware

View solution in original post

0 Karma

woodcock
Esteemed Legend

You cannot chain your search heads but you can have Search Head A talk to both his own Indexer Tier A and also any other Indexer Tier. You simply login to Search Head A and go to Settings -> Distributed Search -> New and add each Indexer from Tier B as a Search Peer. That's it. Now you are searching against both systems.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can add Standalone box B as search peer to Standalone box A. Again, it's not recommended that you have an indexer also work as search head (system B here) as it will increase load on that servers. Temporary this could work, but long term and to have robust SPlunk deployment, I would consider you reading these resources and re-architect your environment(s).

https://conf.splunk.com/session/2014/conf2014_KarandeepBains_Splunk_Deploying.pdf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Referencehardware

0 Karma

carlkennedy
Path Finder

Thanks for the quick response.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...