Distributed Search Architecture

In a distributed environment, the Search Head sends search requests to Search Peers (indexers). Each peer searches its local data and returns results to the Search Head, which merges them.

The Search Head distributes search knowledge (saved searches, field extractions, macros) to peers via knowledge bundles — compressed packages replicated automatically.

distsearch.conf on the Search Head defines which servers are search peers and how knowledge bundles are replicated.

./splunk add search-server https://indexer1:8089
  -auth admin:password -remoteUsername admin
  -remotePassword password