Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an alternative to Splunk Free for a distributed search POC?

deepak02
Path Finder
‎02-02-2017 08:12 AM

Hi,

I am trying a POC on my personal PC where

  • Forwarder is on one machine (Linux)
  • Indexer + Search Head on another machine (Mac OS)

I am using Splunk Enterprise downloaded for free.

ISSUE: I am able to see the data on the indexer, but the Search Head is not connecting to the indexer. (Error: REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured).

QUESTION:
I read that Splunk Free does not provide Distributed Search. Is that the reason why my Search Head to Indexer connection is not working?

Which Splunk product (free or very cheap) should I use to implement the above architecture (three tier on two machines) ?

Thanks,
Deepak

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-02-2017 09:14 AM

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 12:32 PM

If you run search head and indexer on the same machine, there is no need for distributed search. The indexer IS the search head. Distributed search comes into play when you have 2+ indexers.
What are the success criteria for your PoC? Do you need to prove that distributed search works for your PoC to be successful?

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-02-2017 09:14 AM

If you are using the trial version of Splunk, you have all the Enterprise features for the first 60 days. So distributed search will work for 60 days, which should be enough time for a POC.

If the search head is not connecting to the indexer, I suspect that it is not configured properly. If you could show us the settings in distsearch.conf on the search head, the community can probably help you debug it. (You will probably find it in $SPLUNK_HOME/etc/system/local)

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...