Distributed Search

Distributed Search

Web interface

Go to the Admin section, select the Splunk 2 Splunk tab, and click Distributed Search

To turn distributed search on:

1) Set the Participate in Distributed Search? radio button to Yes

2) If you want other Splunk instances to automatically find this instance set the Auto-Discoverable? radio button to Yes

Note: Discovered servers will not be displayed until the change has been commited and Splunk has been restarted

3) Add the IP address and port number of the other Splunk instances that you want to include in the distributed search cluster. This port number must match the same splunkd port # in the Admin / Server / Settings.

Note: If you enabled Auto discoverable on other Splunk instances they will be displayed in the Discovered Servers column. Each server will have an Add button next to it. Clicking Add will add the servers to cluster.

Command line interface

To enable distributed search:

# ./splunk enable dist-search -auth admin:changeme
Distributed search enabled.
You need to restart the Splunk Server for your changes to take effect.

To enable Auto discovery

# ./splunk enable discoverable -auth admin:changeme
Discoverable mode is now enabled.
You need to restart the Splunk Server for your changes to take effect.

To add a search server:

# ./splunk add search-server -host 10.10.10.10 -port 8888 -auth admin:changeme
Success.
You need to restart the Splunk Server for your changes to take effect.

Config file

The GUI and CLI will modify $SPLUNK_HOME/etc/modules/distributedSearch/config.xml

You should not modify this file unless instructed to do so by Splunk Support. All configuration changes to Distributed search should be done throught he GUI or CLI

Note:

If you are using multiple indexes in your topology, all nodes searched must contain the specified index.

• Was this topic useful?
• Post a comment