All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using DFS File replication for Knowledge Bundle syncing

nowplaying
Explorer
‎06-05-2013 11:17 AM

As the title states, has anyone tried this for Windows Search Head Pools?

Our file server is across the WAN from our search heads and I fear we'll experience performance issues using a UNC path for the knowledge bunch. Curious if anybody has tried DFS replication for knowledge bundle syncing across search heads?

0 Karma
Reply

ctapia
New Member
‎08-05-2014 11:30 AM

Regarding http://wiki.splunk.com/Community:Deploy:How_To_Set_Up_Search_Head_Pooling_and_Shared_Bundle
you should have your SHs behind a LVS and them sharing same "pooling" folder. In that way, if your job SH goes down, you won't need to enable the pipeline scheduler manually. (and you will be only replicating the data across other DFS servers instead doing into splunk servers).

That should avoid the DFSR issues.

0 Karma
Reply

nowplaying
Explorer
‎08-05-2014 10:14 AM

We successfully implemented DFS replication in place of the shared mounted path.

We have 3 Search Heads all configured with search head pooling enabled. Each SH has this configured in $SPLUNK_HOME$/etc/system/local/server.conf

[pooling]
state = enabled
storage = c:\Splunk

We ran into an issue where saved search alerts were being run from multiple search heads so we dedicated a single SH as our "job" server. 2 of the search heads have the pipeliner scheduler disabled with this configuration setting in $SPLUNK_HOME/etc/system/local/default-mode.conf

[pipeline:scheduler]
disabled = true

The only other configuration necessary is setting up DFS replication. Each search head is configured to replicate the c:\Splunk directory to the other 2 search heads.

This setup has worked very well for us for about a year now. One thing to note though, the C:\Splunk\var\run\splunk\dispatch directory is extremely active. It's constantly updating, creating, and deleting files. Because of this, on a very active system with lots of users, DFS may have issues keeping up with all the changes.

0 Karma
Reply

ctapia
New Member
‎08-05-2014 07:47 AM

I tried a moment ago.
(DFS mounted over CentOS 6.5 with Samba 4)

Despite i'm able to add/remove content with full rights, search head pooling is not working.
I'm always receiving a: "Failed to lock /mnt/DFS/splunk/etc/pooling/pooling.ini with code -1, possible reason: File exists"

Perhaps it does in windows...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...