Deploy indexes.conf in a Search Head Cluster? How to avoid (and recover in...
We have a Search Head Cluster connected to an Indexer Cluster. All indexes are on the clustered Indexers, and the Search Head Cluster members forward their local internal indexes to the Indexers. Is it...
View ArticleDocker image search cluster configuration fails in splunk-ansible: 'FAILED -...
We're using the docker images at https://hub.docker.com/r/splunk/splunk to install splunk in kubernetes. We're currently using 7.2.4, and are preparing to upgrade to 7.2.9.1. The configuration stage...
View ArticleSlow web UI in Search Head cluster
Hey, My SH cluster web UI is very slow when approaching several management pages, such as Views, Lookups definition & automatic lookups. (These pages load time is around 30 seconds) The issue does...
View ArticleWhat is the process and the effect of changing the `shcluster_label`...
If there is a SHC whose `shcluster_label` is `my_old_shc` and I want to change it to `my_new_shc`, how would I change it so that the SHC doesn't break on me? My idea would be to run `splunk edit...
View ArticleHow to permanently decommission the Search Head?
I have 10 SH in my environment.(THEY ARE NOT under SEARCH HEAD CLUSTERING) but they are under my master's "list of peers" And I want to permanently decommission couple of them. What are the steps to be...
View ArticleAdditional Search head apart from SH Cluster -Will it work?
Hello all, I have Index cluster in and SH cluster in our environment. All of them are 7.x version. Now I want to add an additional Search head (v8.0) , which will talk to Index cluster but this will...
View ArticleHow to discover if a search head cluster captain is static, dynamic, using...
How can I figure out that in established SHC showing captain is static or dynamic, using CLI or .conf files? I mean where can I see stanza regarding it?
View Articleexecute a saved search in sh cluster captain
I have a python script. I have configured commands.conf accordingly. Now I want to execute it using saved search at regular interval. How to make sure that this saved search execute on Search Head...
View ArticleWhy do I get a massive amount of TcpOutputProc on my search head ?
I have a search head cluster (3 search heads) and an indexer cluster (3 indexers). More than 10% of splunkd.log (on my search heads) are produced by "TcpOutputProc". Is it an unusual amount ? $ grep...
View ArticleEnterprise Security 6.x Multisite Search head Cluster
Hi, Does anyone happen to know if Multisite search head clustering is suppported in ES 6.x? The validated architectures document says not, but it was written in 2018. Reading the release notes of 6.0,...
View ArticleBMC Remedy add on in a search head cluster
I am having trouble using the BMC Remedy Add on in a search head cluster environment. First issue I am running into is that the web ui does not go beyond "Loading" on any of the members, worked around...
View ArticleWhy is it not recommended to use deployment server for deploying config...
Why is it not recommended to use deployment server for deploying config bundles to Search head cluster ? Why do we need a separate deployer instance and how is a deployer different from a deployment...
View ArticleIs it possible to merge two search clusters?
We have 2 separate search clusters fed by the same index cluster. The reason to have two search clusters was to host 2 sets of apps/add-ons that serve 2 different functional groups. Now we are thinking...
View Articlesearch head cluster with ansible and kubernetese
Hello how can i configure search heade cluster with ansible and kubernetese ? this is my configuration : > splunk-chart: namespace:> dev-aviation-01 persistence:> search:> dataSize:...
View ArticleWhy do I need layer-7 load balancer in front of Splunk Search Head Cluster
We are trying to add a load balancer in front of our Splunk Search Head Cluster (SHC), according to the official doc, we need layer-7/application level load balancer which provides session stickiness....
View Articlerest api and search head cluster
Hello In our system, splunk rest apis does a login call to splunk it does the login in one of the search heads and gets a token from that search head later on the load balancer changes the search head...
View ArticleHow does search head clustering refer to python files in this case?
i have search head A and B and C. it is search head clustering structure. i modified $SPLUNK_HOME/etc/apps/custom_apps/lib/connect.py from search head C and restartss to search head C only. i think...
View ArticleHow to create app in distributed Search Head ,without the deployer instance
Hi, I want to create app in my Search head(SH) in distributed environment,but i do not have the deployer setup. i have four SH ,so how to create app in SH without deployer? also i tried to create App...
View ArticleSearch Head Deployer error message
Has anyone seen this error before?Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=test1 on target=https://xx.xx.xx.xx:8089: Non-200/201...
View ArticleIssues with search head cluster linked to two index clusters
I have a Search Head Cluster able to query in two index cluster. It used to be linked to a single index cluster and It was working fine, but at the moment I linked It to the second index cluster It...
View Article