https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411711#M14750 <P>I manage a couple of small Splunk clusters, and for the 1st time, I need to build one form scratch. I am testing in our sandbox environment, but when I bring the cluster up, I end up with index issues that can't seem to be resolved.</P> <PRE><CODE>cannot fix up search factor as bucket is not serviceable Cannot fix search count as the bucket hasn't rolled yet. </CODE></PRE> <P>The above messages show up for every bucket in the _audit and _internal indexes. The build is a fairly simple one: 2 indexer peers, 1 master, and 1 dedicated search head</P> <P>1- It's RHEL based<BR /> 2- Install the rpm, 7.0.3 is the version I am playing with<BR /> 3 - Set the firewall rules to allow the traffic<BR /> 4 - /opt/splunk/bin/splunk enable boot-start -user root --accept-license<BR /> 5 - /opt/splunk/bin/splunk start --accept-license</P> <P>For the master I run - <CODE>/opt/splunk/bin/splunk edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret xxx -cluster_label test</CODE></P> <P>For the indexer peers - <CODE>/opt/splunk/bin/splunk edit cluster-config -mode slave -master_uri <A href="https://xx.xxx.xx.xx:8089" target="test_blank">https://xx.xxx.xx.xx:8089</A> -replication_port 9887 -secret xxx</CODE></P> <P>For the Search head - <CODE>/opt/splunk/bin/splunk edit cluster-config -mode searchhead -master_uri <A href="https://xx.x.xxx.xx:8089" target="test_blank">https://xx.x.xxx.xx:8089</A> -secret xxx</CODE></P> <P>Restart Splunk on the master, then configure the other nodes and restart Splunk.</P> <P>Not sure what I am missing or doing wrong.</P> Thu, 28 Feb 2019 19:46:35 GMT a238574 2019-02-28T19:46:35Z https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411711#M14750 <P>I manage a couple of small Splunk clusters, and for the 1st time, I need to build one form scratch. I am testing in our sandbox environment, but when I bring the cluster up, I end up with index issues that can't seem to be resolved.</P> <PRE><CODE>cannot fix up search factor as bucket is not serviceable Cannot fix search count as the bucket hasn't rolled yet. </CODE></PRE> <P>The above messages show up for every bucket in the _audit and _internal indexes. The build is a fairly simple one: 2 indexer peers, 1 master, and 1 dedicated search head</P> <P>1- It's RHEL based<BR /> 2- Install the rpm, 7.0.3 is the version I am playing with<BR /> 3 - Set the firewall rules to allow the traffic<BR /> 4 - /opt/splunk/bin/splunk enable boot-start -user root --accept-license<BR /> 5 - /opt/splunk/bin/splunk start --accept-license</P> <P>For the master I run - <CODE>/opt/splunk/bin/splunk edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret xxx -cluster_label test</CODE></P> <P>For the indexer peers - <CODE>/opt/splunk/bin/splunk edit cluster-config -mode slave -master_uri <A href="https://xx.xxx.xx.xx:8089" target="test_blank">https://xx.xxx.xx.xx:8089</A> -replication_port 9887 -secret xxx</CODE></P> <P>For the Search head - <CODE>/opt/splunk/bin/splunk edit cluster-config -mode searchhead -master_uri <A href="https://xx.x.xxx.xx:8089" target="test_blank">https://xx.x.xxx.xx:8089</A> -secret xxx</CODE></P> <P>Restart Splunk on the master, then configure the other nodes and restart Splunk.</P> <P>Not sure what I am missing or doing wrong.</P> Thu, 28 Feb 2019 19:46:35 GMT https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411711#M14750 a238574 2019-02-28T19:46:35Z https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411712#M14751 <P>You are building an index cluster with 1 node and configure <CODE>replication_factor=2</CODE> , this cannot work. You would need at least 2 nodes to make it work.</P> <P>cheers, MuS</P> Thu, 28 Feb 2019 22:52:21 GMT https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411712#M14751 MuS 2019-02-28T22:52:21Z https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411713#M14752 <P>Its got 4 nodes 1 for each function 2 indexer peers, 1 master, and 1 dedicated search head</P> Fri, 01 Mar 2019 13:07:47 GMT https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411713#M14752 a238574 2019-03-01T13:07:47Z https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411714#M14753 <P>The steps are the same for each node except for the cluster config command</P> Fri, 01 Mar 2019 13:10:46 GMT https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411714#M14753 a238574 2019-03-01T13:10:46Z https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411715#M14754 <P>Found the issue. I had copied the rhel firewall rules from another splunk env that had modified the replication port from 9887 to 8080. Once I fixed the rules the index issues were automatically fixed.</P> Thu, 07 Mar 2019 16:17:43 GMT https://community.splunk.com/t5/Deployment-Architecture/Can-you-help-me-with-an-Issue-building-a-Splunk-cluster/m-p/411715#M14754 a238574 2019-03-07T16:17:43Z