All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to get resource utilization information for all clustered search heads from a single search head using the S.o.S add-on for Linux?

butzowj
Path Finder
‎01-07-2016 08:15 AM

Hi,

We are running S.o.S - Splunk on Splunk in a search head clustering environment. Is it possible to get the resource utilization information from all search heads to be searchable from a single search head using the S.o.S add-on for Linux? Right now, I have to log in to Splunk Web for each search head to get the data for that search head, (i.e. I have to log in to searchhead1:8000 to view info for searchhead1).

Thanks,
JB

0 Karma
Reply

msudhindra
Path Finder
‎01-07-2016 10:55 AM

Where does your search-head maintain its data , and is that location searchable from the other search heads ? Do you have an outputs.conf on your search-head that redirects the outputs to an indexer ?

The default behavior of Splunk is to maintain (index) data locally. So your search head in the cluster, is also an indexer for local data only. The issue you see is due to the fact that the search head you are logging into, does not have access to the data indexed on other search head nodes in the cluster.

In our case, we forward all data from a search head off to an indexer, where it is indexed, and maintained. These indexers are searchable from all the search head nodes in the cluster, and the above problem is avoided.

Thanks,
Madan

Reply

butzowj
Path Finder
‎01-07-2016 11:03 AM

HI Madan -

Thx for the response.

Our search heads write data locally right now, because we don't know how to configure it any other way. Ideally, we would write send this data to the index cluster to be indexed with the rest of our data. It sounds like we need to utilize an outputs.conf file to forward the locally indexed data to the index cluster.

Which outputs.conf file would we use, and would this have any other potential impacts to the system?

Thanks,
JB

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...