Install a dedicated search head
Distributed search is enabled by default on every Splunk instance, with the exception of forwarders. This means that every Splunk server can function as a search head to a specified group of indexers, referred to as search peers.
In some cases, you might want a single Splunk instance to serve as both a search head and a search peer. In other cases, however, you might want to set up a dedicated search head. A dedicated search head performs only searching; it does not do any indexing.
Note: If you do want to use a Splunk instance as both a search head and a search peer, or otherwise perform indexing on the search head, just install the search head as a regular Splunk instance with a normal license, as described in "About Splunk licenses" in the Installation manual.
To install a dedicated search head, follow these steps:
1. Determine your hardware needs by reading this topic in the Installation manual.
2. Install Splunk, as described in the topic in the Installation manual specific to your operating system.
3. Add the search head to your Enterprise license group even if it's a dedicated search head that's not expected to index any data. For more information, see "Types of Splunk licenses".
4. Establish distributed search from the search head to all the indexers, or "search peers", you want it to search. See "Configure distributed search" for how to do this.
5. Log in to your search head and do a search for *. Look at your results and check the
splunk_server field. Verify that all your search peers are listed in that field.
6. Set up the authentication method you want to use on the search head, just as you would for any other Splunk instance. Do not set up any indexing on your search head, since that will violate its license.
What is distributed search?
Configure distributed search
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7