Overview of configuration
The search head should be dedicated to running searches. It should not index data.
Configure distributed search
Setting up distributed search consists of three basic steps:
1. Designate a Splunk Enterprise instance as the search head. See "Designate the search head".
2. Add search peers to the search head. See "Add search peers".
3. Add data inputs to the search peers. You add inputs the same as would for any indexer, either directly on the search peer or through forwarders connecting to the search peer. See the Getting Data In manual for information on data inputs.
Synchronize system clocks across the distributed search environment
It is important that you synchronize the system clocks on all machines, virtual or physical, that are running Splunk Enterprise instances participating in distributed search. Specifically, this means your search heads and search peers. In the case of search head pooling or mounted bundles, this also includes the shared storage hardware. Otherwise, various issues can arise, such as bundle replication failures, search failures, or premature expiration of search artifacts.
The synchronization method you use depends on your specific set of machines. Consult the system documentation for the particular machines and operating systems on which you are running Splunk Enterprise. For most environments, Network Time Protocol (NTP) is the best approach to use.
Other types of configuration
Other related types of configuration include:
- Removing a search peer.
- Modifying the contents of the knowledge bundle.
- Managing distributed server names.
- Mounting the knowledge bundle.
- Setting up a search head pool.
- Managing authorization.
Note: Splunk clusters also use search heads to search across their set of indexers, or peer nodes. You deploy search heads very differently when they are part of a cluster. To learn about deploying search heads in clusters, read "Enable the search head" in the Managing Indexers and Clusters Manual.
Designate the search head
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14