All Apps and Add-ons

Installing CIM in a clustered environment- Has anyone managed to install CIM in a clustered environment without issues?

joshiro
Communicator

The CIM documentation says that we should install CIM only on SH. But it contains an indexes.conf in default.
Should we leave the indexes.conf in the SHC? in this case the index defined inside indexes.conf wont be usable because is not defined in the indexer cluster.

We dont know if it is correct to define the CIM indexes.conf in the SHC instead of the indexers.

Anyone managed to install CIM in a clustered environment without issues?

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

As the documentation cited by @PickleRick says, indexes.conf is deprecated in the app  The docs specify which indexes the app uses so admins can make sure they exist.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Remove the CIM's indexes.conf file from the deployment-apps shcluster directory before you apply the shcluster bundle.

---
If this reply helps you, Karma would be appreciated.

joshiro
Communicator

We will remove the indexes.conf from the bundle.
But we still need to define it in the indexers? is that correct?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

CIM does not get installed on indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

joshiro
Communicator

I know that the documentation says it is installed only on SHC, but i still dont understand why CIM defines indexes in default if we are suposed to remove it from the SH bundle and never install it on the indexers.

I feel that something wont work correctly if we dont deploy that index definition. Unless its deprecated and shouldnt be there.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As the documentation cited by @PickleRick says, indexes.conf is deprecated in the app  The docs specify which indexes the app uses so admins can make sure they exist.

---
If this reply helps you, Karma would be appreciated.

PickleRick
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...