- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to set up splunk Indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Could you please give me clarification the below point?
I have gone through the splunk videos and understand the splunk components. As per my understanding
Forwarder: Which installed on Application server (from which we get data for analysis)
Search Head: Splunk enterprise which we use to search for the data, create dashboards, reports, alert and any administration task.
Splunk enterprise is installed on individual server (splunk server)
Indexer: I am confused about indexer.
I understood the concept that data from application server is forwarded to Indexer by forwarder.
Indexer, indexes the incoming data and stores as events (in the form of table (rows and columns))
The data from the indexer is then forwarded to Search Head(splunk enterprise) for analysis.
My confusion is how do we install indexer? Do we need to install indexer like forwarder/splunk enterprise?
I always heard from colleagues that we need to select the indexer to which data is to be forwarded.
Please help me with clarification. Also, correct if my understanding is wrong
Sorry, it may be a very basic question. But, I am very new and have to handle my next project on splunk. I want to gain strong basic knowledge.
Thanks&Reagards
Srinivas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a bit of clarification:
The indexer (or indexers, if you have multiples) does receive and index the data send to it by the Splunk Universal Forwarders. However, it is storing the data in compressed files on disk. Splunk does not have a structured schema like in a database. The data is not "forwarded" to the Search Head, though the Indexers will respond to search requests from the Search Head.
To install an indexer, it is the same installation as a Search Head. Most of Splunk's components are installed this way. The difference comes with how they are configured (Search Head, Indexer, Deployment Server, etc...).
Take a look at this link:
https://docs.splunk.com/Documentation/MSExchange/3.5.1/DeployMSX/InstallaSplunkIndexer
Both the forwarders and the Search Head will need to know the IP/host of the indexer(s). Here are some notes I have for setting up a distributed environment (quick and easy). I just realized my notes don't mention setting up the Indexer to listen on a port (port 9997 by default), but you can find that in the link above, under "Configure recieving" section. Hopefully this is helpful as you start to learn Splunk:
Configuring a distibuted Splunk environment:
* Install Indexers
* Change default password on each Indexer (required for Search Head to connect)
* Install Search Head
* Install Licenses on Search Head (License Master)
* Configure each Indexer as a License Slave
* Settings > Licensing
* Click Change to slave
* Click Designate a different Splunk instance as the master license server radio button
* Specify the IP/Hostname and Splunk management port (8089 by default)
* Save
* Establish connections from Search Head to all Search Peers. This is the key step.
* Distributed search > Search peers > Add New
* Specify the search peer, along with any authentication settings
* Save
* Install Universal Forwarders and configure to send to all Search Peers
* Example Universal Forwarder outputs.conf
[tcpout]
defaultGroup = my_search_peers
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
* Forward internal SH data to the indexer tier.
* Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.
* Set SH up to Forward to all Search Peers.
* Example outputs.conf
* # Turn off indexing on the search head
[indexAndForward]
index = false
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
* autoLB = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anam
Hi @assrinivas
Did the answer by @kmorris_splunk help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a bit of clarification:
The indexer (or indexers, if you have multiples) does receive and index the data send to it by the Splunk Universal Forwarders. However, it is storing the data in compressed files on disk. Splunk does not have a structured schema like in a database. The data is not "forwarded" to the Search Head, though the Indexers will respond to search requests from the Search Head.
To install an indexer, it is the same installation as a Search Head. Most of Splunk's components are installed this way. The difference comes with how they are configured (Search Head, Indexer, Deployment Server, etc...).
Take a look at this link:
https://docs.splunk.com/Documentation/MSExchange/3.5.1/DeployMSX/InstallaSplunkIndexer
Both the forwarders and the Search Head will need to know the IP/host of the indexer(s). Here are some notes I have for setting up a distributed environment (quick and easy). I just realized my notes don't mention setting up the Indexer to listen on a port (port 9997 by default), but you can find that in the link above, under "Configure recieving" section. Hopefully this is helpful as you start to learn Splunk:
Configuring a distibuted Splunk environment:
* Install Indexers
* Change default password on each Indexer (required for Search Head to connect)
* Install Search Head
* Install Licenses on Search Head (License Master)
* Configure each Indexer as a License Slave
* Settings > Licensing
* Click Change to slave
* Click Designate a different Splunk instance as the master license server radio button
* Specify the IP/Hostname and Splunk management port (8089 by default)
* Save
* Establish connections from Search Head to all Search Peers. This is the key step.
* Distributed search > Search peers > Add New
* Specify the search peer, along with any authentication settings
* Save
* Install Universal Forwarders and configure to send to all Search Peers
* Example Universal Forwarder outputs.conf
[tcpout]
defaultGroup = my_search_peers
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
* Forward internal SH data to the indexer tier.
* Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.
* Set SH up to Forward to all Search Peers.
* Example outputs.conf
* # Turn off indexing on the search head
[indexAndForward]
index = false
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
* autoLB = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for clarification. Now I understood.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
