Deploy a distributed search environment

Important: The topics in this chapter explain how to deploy a non-clustered distributed search topology. For information on deploying a search head cluster instead, read the chapter Deploy search head clustering.

The basic configuration to enable distributed search is simple. You designate one Splunk Enterprise instance as the search head and establish connections from the search head to one or more search peers, or indexers.

If you need to deploy more than a single search head, the best practice is to deploy the search heads in a search head cluster.

This is the type of topology that this topic specifically addresses:

The search head interfaces with the user and manages searches across the set of indexers. The indexers index incoming data and search the data, as directed by the search head.

Deploy distributed search

To set up a simple distributed search topology, consisting of a single dedicated search head and several search peers, perform these steps:

1. Identify your requirements. See System requirements and other deployment considerations for distributed search.

2. Designate a Splunk Enterprise instance as the search head. Since distributed search is enabled automatically on every full Splunk Enterprise instance, you do not actually perform any action in this step, aside from choosing the instance that you want to be your search head.

Choose an existing instance that is not indexing external data or install a new instance. For installation information, see the topic in the Installation Manual specific to your operating system.

3. Establish connections from the search head to all the search peers that you want it to search across. This is the key step in the procedure. See Add search peers to the search head.

4. Add data inputs to the search peers. You add inputs in the same way as for any indexer, either directly on the search peer or through forwarders connecting to the search peer. See the Getting Data In manual for information on data inputs.

5. Forward the search head's internal data to the search peers. See Best practice: Forward search head data to the indexer layer.

6. Log in to the search head and perform a search that runs across all the search peers, such as a search for *. Examine the splunk_server field in the results. Verify that all the search peers are listed in that field.

7. See the Securing Splunk Enterprise manual for information on setting up authentication.

To increase indexing capacity, deploy additional search peers. To increase the search management capacity, deploy multiple search heads as members of a search head cluster.

Deploy multiple search heads

To deploy multiple search heads, the best practice is to deploy the search heads in a search head cluster. This provides numerous advantages, including simplified scaling and management. See the chapter Deploy search head clustering.

Deploy search heads in indexer clusters

Splunk indexer clusters use search heads to search across their set of indexers, or peer nodes. You deploy search heads very differently when they are part of an indexer cluster. To learn about deploying search heads in indexer clusters, read Enable the search head in the Managing Indexers and Clusters of Indexers manual.