Hello
I have a basic question. I want to deploy search head cluster. When I was going through documentation, I came across that a deployer is mandatory (mentioned as a functioning cluster requires several other components) in which deployer and load balancer are mentioned.
Do we really want this? Can we deploy without this?
Thanks in advance
↧
Is a deployer mandatory for deploying a search head cluster?
↧
Is there an order of installation when building Splunk indexer and search head clusters?
Is there a order of installation when building a Splunk Cluster?
I have detailed links and documents about the specific items, but it's difficult to determine the order of configuration & installation.
I'm using [http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/SHCdeploymentoverview][1] as a reference.
Splunk cluster deployment order:
1. indexer cluster - master
2. indexer cluster - peers
3. search head cluster - Deployer
4. search head cluster - Members
5. search head cluster - Captain
6. integrate search cluster into indexer cluster
7. connect search heads to search peers
Thank you! -Sean
[1]: http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/SHCdeploymentoverview
↧
↧
Why is the "user" role is showing up on some single search head cluster member, but not the others?
I've found that the default user group role is being applied to users on some search heads, but not others.
I can see this in the search log
**Search head 1. Expected roles.**
7-20-2016 04:34:47.755 INFO dispatchRunner - Arguments are: "search" "--id=1468989287.51750_F7F40473-8726-4D4B-8160-4625565894FE" "--maxbuckets=300" "--ttl=600" "--maxout=500000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--rf=*" "--user=someuser" "--pro" "--roles=xxxxxxxx:std-admin:std-power:std-user"
**Search head 2. Unexpected roles.**
07-20-2016 04:38:03.125 INFO dispatchRunner - Arguments are: "search" "--id=1468989482.13557_563FF8CD-6257-4804-A02F-F948DB01C42B" "--maxbuckets=300" "--ttl=600" "--maxout=500000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--rf=*" "--user=someuser" "--pro" "--roles=:std-admin:std-power:std-user:user"
We have explicitly created our own roles that do not use the included default "user", "power" or "admin" roles. We have instead created similar functioning ones called "std-admin/power/user".
Using a btool ( `splunk btool authorize list --debug | grep import | sort -u` ) there isn't any import of this role nor any other group that imports it into their own roles (apart from default) yet the user group shows up under my ldap authenticated account.
I've checked other apps such as dbconnect/dbx and they had already been modified so to not import the standard roles.
There is no ldap mapping to the user group so I am at a loss as to how it is picking up this default user role only on certain search heads.
Is there any other way I can track down how this is being applied?
↧
How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?
Hi fellow splunkers,
I have a question on the installation process of the Splunk Add-on for Checkpoint OPSEC LEA.
I have read the following document:
http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install
----------
The following section concerns me:
Distributed deployment feature Supported
Search Head Clusters No
Indexer Clusters Yes
Deployment Server No
----------
Should this tell me installation over a deployer for the search head cluster is not possible?
If yes, should I then manually install this app on every search head in the cluster?
Best regards,
pyro_wood
↧
How to update custom JavaScript and CSS in a search head clustering environment?
Hi,
I have an app that was created via "create app" on our search head cluster, and the customer wants to apply some custom css and js. How would I do that in an shc environment?
↧
↧
Why is the "user" role showing up on some single search head cluster member, but not the others?
I've found that the default user group role is being applied to users on some search heads, but not others.
I can see this in the search log
**Search head 1. Expected roles.**
7-20-2016 04:34:47.755 INFO dispatchRunner - Arguments are: "search" "--id=1468989287.51750_F7F40473-8726-4D4B-8160-4625565894FE" "--maxbuckets=300" "--ttl=600" "--maxout=500000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--rf=*" "--user=someuser" "--pro" "--roles=xxxxxxxx:std-admin:std-power:std-user"
**Search head 2. Unexpected roles.**
07-20-2016 04:38:03.125 INFO dispatchRunner - Arguments are: "search" "--id=1468989482.13557_563FF8CD-6257-4804-A02F-F948DB01C42B" "--maxbuckets=300" "--ttl=600" "--maxout=500000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--rf=*" "--user=someuser" "--pro" "--roles=:std-admin:std-power:std-user:user"
We have explicitly created our own roles that do not use the included default "user", "power" or "admin" roles. We have instead created similar functioning ones called "std-admin/power/user".
Using a btool ( `splunk btool authorize list --debug | grep import | sort -u` ) there isn't any import of this role nor any other group that imports it into their own roles (apart from default) yet the user group shows up under my ldap authenticated account.
I've checked other apps such as dbconnect/dbx and they had already been modified so to not import the standard roles.
There is no ldap mapping to the user group so I am at a loss as to how it is picking up this default user role only on certain search heads.
Is there any other way I can track down how this is being applied?
↧
How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?
I have 4 servers in which 2 are clustered and are used as search heads, a 3rd one is Splunk Enterprise Security, and the 4th server is search head pooling. These are connected to indexers. I want to know how to find whether the environment is clustered or distributed. If it is distributed, then how should I add new index to it and pull logs into that index?
Thanks,
Nishwanth
↧
Does the Alert Manager app work in a search head cluster?
Hi
Does Alert Manager support clustering? I installed the TA on indexers and search heads, and the app on 2 Search Heads. The app is working individually on both SH's, but is there a way to see all alerts on one Search Head?
↧
Can Hunk 6.4.x search head clustering nodes share accelerated data models?
We have 3 Search Heads clustered together (SH1, SH2, SH3). We are using Hunk on a 40 node Hadoop cluster to query data. Our searches are not running very fast, so I was very excited to see accelerated data modeling feature in 6.4. From SH1, I create a data model and accelerate it and I see that the data model definition is replicated on SH2 and SH3, but when I search from SH1, SH2, and SH3 from the data model, I get different counts. Our configuration for
vix.splunk.search.cache.path = /user/splunk_search/cache
for all three search heads.
HDFS Working Directory is different for each SH.
SH1: HDFS Working Directory = /user/splunk_sh1
SH2: HDFS Working Directory = /user/splunk_sh2
SH3: HDFS Working Directory = /user/splunk_sh3
I thought that the accelerated data model data will be found in /user/splunk_search/cache/datamodel in hdfs, but I found it in "HDFS Working Directory", /user/splunk_sh1/datamodel, /user/splunk_sh2/datamodel, /user/splunk_sh3/datamodel.
Is there way for search head cluster to share accelerated data model?
If I change HDFS Working Directory to /user/splunk_search/cache for all search heads, would they share accelerated data models? Would this now mess up individual search from each search head? If I am running exact same search from SH1 and SH2, since working directory is same, would that interfere with each other?
↧
↧
Search Head Cluster : Unable to share Tag created from Event Actions>Action
In Search Head Cluster environment Unable to share Tag created from Event Actions>Action .
![alt text][1]
On the other hand Tag created by navigating to Setting>Tags can be shared without issue.
[1]: /storage/temp/154174-tag.jpg
↧
Where do I change the capabilities for a role in a search head cluster?
Hi,
In a search head cluster, if I need to change the capabilities in a role, where should I do it?
↧
Why is my timezone configuration in the app directory for my search head cluster being ignored?
I'm trying to set the timezone via a deployable app to my search head cluster. If I put the configuration in the etc/system/local, it works fine. If it's in the app directory, then it doesn't. I did have a user-prefs.conf in my etc/users directory, but it didn't have the TZ config present and I took it a step further and deleted it. Using find and grep, the file in apps is the only user-prefs.conf that has TZ in it. Can anyone shed light on why Splunk would ignore the configuration even though it shows up in btool?
PS, this is a shcluster, so that's why the file is in default.
TIA,
Todd
Works
/opt/sh2a/etc/system/local/user-prefs.conf [general]
/opt/sh2a/etc/system/local/user-prefs.conf tz = America/New_York
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf [general_default]
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1
Doesn't work
/opt/sh2a/etc/apps/all_sh_base/default/user-prefs.conf [general]
/opt/sh2a/etc/apps/all_sh_base/default/user-prefs.conf tz = America/New_York
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf [general_default]
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/opt/sh2a/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1
↧
Why am I getting error "CONFIGURATION ID MISMATCH" trying to add another search head to my search head cluster?
I'm trying to add another search head to my search head cluster. I'm receiving the following error when I try and bootstrap it.
[labsplunk-sh:/opt/sh2a/bin]$ ./splunk bootstrap shcluster-captain -servers_list "https://#.#.#.#:8088,https://#.#.#.#:8090,https://#.#.#.#:8091,https://#.#.#.#:8092,https://#.#.#.#:8093"
In handler 'shclustermemberconsensus': CONFIGURATION ID MISMATCH
server.conf
[shclustering]
disabled = 0
mgmt_uri = https://#.#.#.#:8093
pass4SymmKey = XXXXXXXX
adhoc_searchhead = true
conf_deploy_fetch_url = https://#.#.#.#:8088
It's a fresh Splunk tar, but the cluster is in use with deployed apps/configuration, so I don't want to delete everything and start over. The only thing I did to the SH was set the licenser, cluster-config, shcluster-config, and the deployer. This is the only line in the log to indicate the problem.
Anyone else seen this issue or any suggestions on how to fix? I've restarted the whole cluster with no change.
↧
↧
Where do I enable HTTP Event Collector (HEC) and create a new token in an environment with both search head and indexer clustering?
Hello,
We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?
Thank you.
↧
Component wise priority to deploy search head cluster and indexer cluster
Hi,
We are planning to deploy search head cluster, indexer cluster, with master node, deployment server for PoC use.
Could anyone have the document from where i can find which component should deploy/configure first?
Configure and start, indexer server first or master node fist or search head first.
Thanks
Rajeev
↧
Why do search head cluster members keep old bundle files, and can these be deleted safely?
Hi,
We currently have a Search Head Cluster setup which has one deployer and two cluster members. One of the cluster members ran out of disk space and thus cannot issue searches anymore. Also, when I checked the cluster status, this one shows status as detention.
There are several bundle files under /opt/splunk/var/run, most of which are 1 GB +. The member which ran out of disk space is holding almost twice as many .bundle files under that folder as compared to the other member. Both were configured the same way and all apps were deployed only via Deployer, but how can there be such difference between them? Could these bundle files be something completely unrelated to SH Clustering?
Can any of these bundle files be deleted safely?
Also, around the same time one member had the disk issue, the other active member (which is also the captain now) had a replication failure for all the connected search peers. State is up and Health status is "Healthy", but Replication status is "Failed". Could this be related to the fact that the only other member is currently down?
Thanks,
~ Abhi
↧
How to resolve error "clustersearchheadconfig': Searchhead is not enabled on this node"?
Hi,
I have a search head cluster configuration and due to HW issues at one of the SH, had to rebuild and added to the cluster.
Still I can see old search head details from the master node "Indexer clustering" page with old GUID.
I tried to edit cluster by using command `splunk edit cluster-master`, but it is showing error as below:
In handler 'clustersearchheadconfig': Searchhead is not enabled on this node
Could you please suggest how to resolve this?
Thanks
Rajeev
↧
↧
How to disable indexing on search head cluster members?
Hi,
I recently deployed a search head cluster and indexer cluster and integrated.
How I can disable indexing on search head cluster members? Is there any workaround without making an entry in outputs.conf?
Thanks
Rajeev
↧
How to configure three servers to each serve as a member and peer in both a search head and indexer cluster?
We have been challenged to spin up a small Splunk Enterprise environment,
I would like to have three servers and cluster them all in an indexer cluster and search head cluster,
Server A-> Indexer and search head
Server B-> Indexer and search head
Server C -> Indexer and search head
Server D -> Cluster Master and deployer.
How would you be able to logically separate the server roles? Would anyone know of where I can find documentation on this subject?
thanks!
↧
Test cases for Splunk configuration/desgin/architecture
Hi,
I have installed and configured Splunk as per below design.
Replication factor - 3
Search Factor - 2
Indexer cluster with 3 node and 1 master node.
Search Head Cluster - 2 (plus master node as deployer server)
1 deployment server
Please share if you have test cases to test Splunk design, connectivity and configuration.
Thanks
Rajeev
↧