What is distributed search?
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
What is distributed search?
Splunk servers can distribute search requests to other Splunk servers and merge the results back to the user. Distributed search combines with balanced indexing to provide horizontal scaling, allowing you to search and index hundreds of gigabytes or terabytes per day. Additionally, distributed search allows select users to correlate data across different data silos.
Licenses for distributed deployments
If you have Splunk running on multiple hosts in a distributed environment, you must have a separate unique license key for each host. If you have been using a single license key for all your hosts, this will not work in versions 4.0 and later. Contact Support to have additional keys generated, or to have your license broken up into multiple keys for this purpose.
Cross-version compatibility
Note: All search nodes must be running Splunk 4.x in order for them to participate in the distributed search. Distributed search is not backwards or forwards compatible with Splunk 3.x.