All Apps and Add-ons

Installing CIM in a clustered environment- Has anyone managed to install CIM in a clustered environment without issues?

joshiro
Communicator

The CIM documentation says that we should install CIM only on SH. But it contains an indexes.conf in default.
Should we leave the indexes.conf in the SHC? in this case the index defined inside indexes.conf wont be usable because is not defined in the indexer cluster.

We dont know if it is correct to define the CIM indexes.conf in the SHC instead of the indexers.

Anyone managed to install CIM in a clustered environment without issues?

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

As the documentation cited by @PickleRick says, indexes.conf is deprecated in the app  The docs specify which indexes the app uses so admins can make sure they exist.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Remove the CIM's indexes.conf file from the deployment-apps shcluster directory before you apply the shcluster bundle.

---
If this reply helps you, Karma would be appreciated.

joshiro
Communicator

We will remove the indexes.conf from the bundle.
But we still need to define it in the indexers? is that correct?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

CIM does not get installed on indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

joshiro
Communicator

I know that the documentation says it is installed only on SHC, but i still dont understand why CIM defines indexes in default if we are suposed to remove it from the SH bundle and never install it on the indexers.

I feel that something wont work correctly if we dont deploy that index definition. Unless its deprecated and shouldnt be there.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As the documentation cited by @PickleRick says, indexes.conf is deprecated in the app  The docs specify which indexes the app uses so admins can make sure they exist.

---
If this reply helps you, Karma would be appreciated.

PickleRick
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...