Getting Data In

Could you give me step-by-step instructions on how to have an indexer and a search head?

christianubeda
Path Finder

Hi team!

I have a question.

Actually I have a standalone server.

My plan is to have 2 servers: an indexer and a search head.

What do I have to do?

Please help. this is my very first time.

Thank you a lot.

0 Karma

nasimm
New Member

can you help me?
please help me ,
forwarder should be install in search head or search index(peer) or both of them?
please help me ,
i dont have enough time.,please help me ,
i dont have enough time for deploying ,
can you help me?
my problem is forwarder , universal forwarder should be just in search head install or in search index(peer)?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Take a deep breath. Please post a new question describing your problem. Forwarders are not installed on either search heads or indexers, but we'll address that with your question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

nasimm
New Member

hi ,
please give me your advises about this link , it is ok for universal forwarder and search indexer deploying?after theses i should just deploy search head?
in this link , forwarder installed on search indexer , but you say no , universal forwarder should be install in your host(in my case , i have 3 nodes in vmware and my system(windows)), then in my case , i shoud install and deploy universal forwarder in windows?or in my search indexers?(2 of 3 nodes , one of them be search head).if yes , in each one of search indexers i should install forwarder?with 9997 port?is not create conflict?
this link is :
https://www.youtube.com/watch?v=ST3UOM4TS60

please help me , i am busy with deploy splunk distributed a weak , please help me.
i dont have enough time , my time of dissertation will be finished next a few days .
please help me ,
thanks.

0 Karma

sensitive-thug
Splunk Employee
Splunk Employee

Hi @nasimm,

Please post a brand new question to get help with the issue, rather than posting a comment on a previous question.

To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thanks!

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I would actually suggest focusing on what the official documentation has to offer. That way if you open a support case for help, you are in line with what is supported.

Two sets of documentation that will be of use to you: Distributed Deployment Manual and Distributed Search. The second link even has a page that walks you through exactly what you're working on.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Here are some notes I had which will summarize the steps. Even though you will have just one indexer, this will be the same process.

  • Install Indexers
  • Change default password on each Indexer (required for Search Head to connect)
  • Install Search Head
  • Install Licenses on Search Head (License Master)
  • Configure each Indexer as a License Slave
    • Settings > Licensing
    • Click Change to slave
    • Click Designate a different Splunk instance as the master license server radio button
    • Specify the IP/Hostname and Splunk management port (8089 by default)
    • Save
  • Establish connections from Search Head to all Search Peers. This is the key step.
    • Distributed search > Search peers > Add New
    • Specify the search peer, along with any authentication settings
    • Save
  • Install Universal Forwarders and configure to send to all Search Peers

    • Example Universal Forwarder outputs.conf
      [tcpout]
      defaultGroup = my_search_peers

              [tcpout:my_search_peers]
              server=10.10.10.1:9997,10.10.10.2:9997                                                
              autoLB = true
      
  • Forward internal SH data to the indexer tier.

    • Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.
    • Set SH up to Forward to all Search Peers.
    • Example outputs.conf
    • Turn off indexing on the search head

      [indexAndForward]
      index = false

      [tcpout]
      defaultGroup = my_search_peers
      forwardedindex.filter.disable = true
      indexAndForward = false

      [tcpout:my_search_peers]
      server=10.10.10.1:9997,10.10.10.2:9997

    •       autoLB = true
      

Configuration via files:

Change password from changeme to something else on the indexers:

./splunk edit user admin -password foo -role admin-auth admin:changeme

Configure indexers as license slaves: https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/LicenserCLIcommands
./splunk edit licenser-localslave -master_uri 'https://master:8089'

Add search peer to Search Head:
splunk add search-server https://192.168.1.1:8089 -auth admin:password -remoteUsername admin -remotePassword passremote

nasimm
New Member

so universal forwarder will be install in indexers?

0 Karma

nasimm
New Member

also you said in last part that forwarder not need to install on search head , but in your commands you turn off this form search peer(indexer) . it confused me.
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997

* autoLB = true

0 Karma

christianubeda
Path Finder

I actually installed my 10Gb licese in the indexer...

What can I do now?

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Just a note, be sure to replace any placeholder IP addresses in these notes with the appropriate IPs in your environment.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...