How distributed search works
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
How distributed search works
Distributed search is a peer-to-peer configuration that enables one Splunk server to send searches across many other Splunk instances. Upon login, authentication attempts are federated across all other included servers. Users who want to search across distributed Splunk hosts must have the exact same credentials (username and password) on all the included servers. You can propagate user credentials using the information in this Community wiki topic.
Users can restrict any search to explicitly search only a subset of the servers.
Each Splunk server in a distributed search configuration must have an Enterprise license.
Distributed search is typically used to:
- enable correlation among multiple silos of data for a subset of users.
- provide a single view of data across multiple indexing servers.
- provide a single view across Splunk servers that are indexing data locally on production hosts, where network bandwidth favors centralizing data at search time rather than index time.
Note: Distributed search uses the management port (default 8089), so SSL must be either off or on for all servers. By default, SSL is turned on for the management port. If you turn it off for one server, you must turn it off for all servers.
Known issues with distributed search
- You can mix 3.3.x with 3.2.x, but mixing 3.1.x and 3.2.x nodes in a distributed search cluster is not supported; you must upgrade all your Splunk servers to at least 3.2 in order to use distributed search across versions.
- Network speed affects distributed search speed. If you're searching over a VPN, you may notice distributed search taking longer, depending on your connection speed.
- Search time field extraction configuration must be configured on each of the servers providing the distributed search results.
- Each instance in the distributed search cluster must have a unique server name. The server name is specified in
$SPLUNK_HOME/etc/myinstall/splunkd.xml - The
savedsearchsearch command is not supported when searching across distributed Splunk systems. - Dynamic field extraction (the interactive field extractor) is not supported when attempting to extract from a non-local event (in a distributed search environment)."
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.