Splunk® Enterprise

Distributed Search

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Designate the search head

Distributed search is enabled by default on every Splunk Enterprise instance, with the exception of forwarders. This means that every Splunk Enterprise server can function as a search head to a specified group of indexers, referred to as search peers.

To install a search head, follow these steps:

1. Determine your hardware needs by reading this topic in the Installation Manual.

2. Install Splunk Enterprise, as described in the topic in the Installation Manual specific to your operating system.

3. Add the search head to your Enterprise license group, even though it's a dedicated search head that's not expected to index any external data. For more information, see "Types of Splunk Enterprise licenses".

4. Establish distributed search from the search head to all the indexers (search peers), you want it to search. See "Add search peers" for how to do this.

5. Log in to the search head and perform a search that runs across all the search peers, such as a search for *. Examine the splunk_server field in the results. Verify that all the search peers are listed in that field.

6. See the Securing Splunk Enterprise manual for information on setting up authentication.

Important: Do not configure the search head for indexing of external data, since that will violate its license.

Overview of configuration
Add search peers

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters