Solved: Can I search a search head from another search hea...

vanderaj1 · ‎09-12-2016

I think I already know the answer to this, but here goes:

I have a search head that can access my indexer as a search peer. I have another search head in a separate security group that cannot access my indexer as a search peer.

Could I connect the two search heads and then somehow search "through" the search heads to the indexer? In other words, could the search head that can't directly connect to the indexer query the indexer through the search head that can?

Thanks!

hexx · ‎09-12-2016

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

View solution in original post

hexx · ‎09-12-2016

Could I connect the two search heads and then somehow search "through" the search heads to the indexer?

No. There is no "proxy-ing" of distributed search. As you dispatch a search to search peers, they will respond with their own results but they will not pass on the search to their own search peers if any are defined.

vanderaj1 · ‎09-13-2016

Thanks for responding! Yep, I thought that to be the case. I appreciate the confirmation -we'll go about this in another way on our end.

jkat54 · ‎10-12-2016

If you for some reason needed an intermediary you could probably use load balancer such as haproxy or nginx to forward port 8089 to the appropriate hosts in both directions. It's certainly nothing I've seen before however.

Can I search a search head from another search head?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases