https://community.splunk.com/t5/Deployment-Architecture/distsearch-conf-documentation-confusion/m-p/540175#M18555 <P>Hello Guys,</P><P>I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs.</P><P>Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one.</P><P data-unlink="true">Splunk/8.1.2/DistSearch/Configuredistributedsearch -&nbsp;here states:<BR /><BR /></P><P><SPAN class="mw-headline">"Add the search peers</SPAN></P><P>To connect the search peers:</P><P><STRONG>1.</STRONG><SPAN>&nbsp;</SPAN>On the search head, create or edit a<SPAN>&nbsp;</SPAN>distsearch.conf<SPAN>&nbsp;</SPAN>file in<SPAN>&nbsp;</SPAN>$SPLUNK_HOME/etc/system/local.</P><P><STRONG>2.</STRONG><SPAN>&nbsp;</SPAN>Add the search peers to the<SPAN>&nbsp;</SPAN>servers<SPAN>&nbsp;</SPAN>setting under the<SPAN>&nbsp;</SPAN>[distributedSearch]<SPAN>&nbsp;</SPAN>stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example:</P><PRE>[distributedSearch] servers = https://192.168.1.1:8089,https://192.168.1.2:8089</PRE><P><STRONG>Note:</STRONG><SPAN>&nbsp;</SPAN>You must precede the host name or IP address with the URI scheme, either "http" or "https"."</P><P>&nbsp;</P><P data-unlink="true">Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states:</P><P>"You define distributed search groups in<SPAN>&nbsp;</SPAN>distsearch.conf.</P><P>For example, to create the two search groups NYC and SF, create stanzas like these:</P><P>You define distributed search groups in<SPAN>&nbsp;</SPAN>distsearch.conf.</P><P>For example, to create the two search groups NYC and SF, create stanzas like these:</P><DIV class="samplecode"><PRE>[distributedSearch] # This stanza lists the full set of search peers. servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089 [distributedSearch:NYC] # This stanza lists the set of search peers in New York. default = false servers = 192.168.1.1:8089, 192.168.1.2:8089 [distributedSearch:SF] # This stanza lists the set of search peers in San Francisco. default = false servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089</PRE></DIV><P>&nbsp;</P><P>In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here.</P><P>&nbsp;</P><P>Thanks in advance&nbsp;</P> Tue, 16 Feb 2021 23:17:00 GMT omeniasty 2021-02-16T23:17:00Z https://community.splunk.com/t5/Deployment-Architecture/distsearch-conf-documentation-confusion/m-p/540175#M18555 <P>Hello Guys,</P><P>I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs.</P><P>Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one.</P><P data-unlink="true">Splunk/8.1.2/DistSearch/Configuredistributedsearch -&nbsp;here states:<BR /><BR /></P><P><SPAN class="mw-headline">"Add the search peers</SPAN></P><P>To connect the search peers:</P><P><STRONG>1.</STRONG><SPAN>&nbsp;</SPAN>On the search head, create or edit a<SPAN>&nbsp;</SPAN>distsearch.conf<SPAN>&nbsp;</SPAN>file in<SPAN>&nbsp;</SPAN>$SPLUNK_HOME/etc/system/local.</P><P><STRONG>2.</STRONG><SPAN>&nbsp;</SPAN>Add the search peers to the<SPAN>&nbsp;</SPAN>servers<SPAN>&nbsp;</SPAN>setting under the<SPAN>&nbsp;</SPAN>[distributedSearch]<SPAN>&nbsp;</SPAN>stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example:</P><PRE>[distributedSearch] servers = https://192.168.1.1:8089,https://192.168.1.2:8089</PRE><P><STRONG>Note:</STRONG><SPAN>&nbsp;</SPAN>You must precede the host name or IP address with the URI scheme, either "http" or "https"."</P><P>&nbsp;</P><P data-unlink="true">Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states:</P><P>"You define distributed search groups in<SPAN>&nbsp;</SPAN>distsearch.conf.</P><P>For example, to create the two search groups NYC and SF, create stanzas like these:</P><P>You define distributed search groups in<SPAN>&nbsp;</SPAN>distsearch.conf.</P><P>For example, to create the two search groups NYC and SF, create stanzas like these:</P><DIV class="samplecode"><PRE>[distributedSearch] # This stanza lists the full set of search peers. servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089 [distributedSearch:NYC] # This stanza lists the set of search peers in New York. default = false servers = 192.168.1.1:8089, 192.168.1.2:8089 [distributedSearch:SF] # This stanza lists the set of search peers in San Francisco. default = false servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089</PRE></DIV><P>&nbsp;</P><P>In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here.</P><P>&nbsp;</P><P>Thanks in advance&nbsp;</P> Tue, 16 Feb 2021 23:17:00 GMT https://community.splunk.com/t5/Deployment-Architecture/distsearch-conf-documentation-confusion/m-p/540175#M18555 omeniasty 2021-02-16T23:17:00Z https://community.splunk.com/t5/Deployment-Architecture/distsearch-conf-documentation-confusion/m-p/540176#M18556 <P>Just worth adding that documentation for "adding search peers" through CLI, Splunk Web says that http/https is required.</P><P>Even Splunk Web console when states this info "<EM>Specify the search peer as servername:mgmt_port or URI:mgmt_port. You must prefix the URI with its scheme. For example: '<A href="https://sp1.example.com:8089" target="_blank">https://sp1.example.com:8089</A>'."</EM></P><P>Does it mean that both versions are acceptable or&nbsp;<SPAN>Splunk/8.1.2/DistSearch/Distributedsearchgroups page is wrong?</SPAN></P> Tue, 16 Feb 2021 23:36:28 GMT https://community.splunk.com/t5/Deployment-Architecture/distsearch-conf-documentation-confusion/m-p/540176#M18556 omeniasty 2021-02-16T23:36:28Z