Architect-Level : Splunk Admin 3.2(Hands-On Part 1):Advanced Distributed Deployment.

#splunk #architect #education #admin The video is only for knowledge purpose, This is based on the limited knowledge of content creator. Please use wisely in your environment. Environment Setup: Sets up several Splunk instances in a demo lab, including a search head, indexers, and a heavy forwarder. All components are installed and initialized. Distributed Search Setup: On the search head, configure a distributed search by enabling the distributed environment and adding multiple indexers (three in this case) as search peers. manually add each indexer to the search head through Splunk's GUI, ensuring proper credentials and IP addresses are used. Verifying Indexers: The health status of the indexers is checked after adding them, verify that the indexers are correctly added by searching internal Splunk logs on both search heads. Enabling Data Forwarding: On the indexers, enable data receiving on port 9997. This is the port through which the heavy forwarder will send data to the indexers. On the heavy forwarder, data forwarding is configured to send logs to the indexers, using port 9997 for each indexer. Testing Data Ingestion: The video demonstrates how to test the setup by creating inputs on the heavy forwarder, selecting logs to forward (e.g., war or user logs), and configuring them to go to the main index. Verify the data is successfully ingested by checking the logs in Splunk's internal index. Load Balancing: In video it is mentioned that the setup allows for auto-load balancing, meaning the forwarded data will be distributed evenly across all indexers. Next Steps: The demo ends with plans to set up a deployment server, which will manage app and configuration deployment across the Splunk instances. This video provides a practical demonstration of how to configure distributed search, data forwarding, and ingestion in a Splunk deployment.