All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the best practices for installing SoS on cluster?

jtworzydlo
Path Finder
‎03-28-2013 07:24 AM

As written above - I just set up a cluster (Master, 2 Indexers + SearchHead). Are there some good practices for installing SoS on cluster? Is it also pushed from teh master to the nodes or installed on search head as in distributed deployment?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-07-2013 12:44 PM

@alacercogitatus has the gist of it but there are a few more details.

This is a 3-step process:

NB:

  • Don't forget to enable the scripted inputs ( lsof_sos.sh and ps_sos.sh) before pushing them out.
  • Due to a Splunk bug (SPL-64308), the file permissions of scripted inputs distributed by the cluster configuration bundle on the peers will be incorrect and will need to be manually corrected. This will be fixed in maintenance release 5.0.4.

View solution in original post

Reply
Solved! Jump to solution

theunf
Communicator
‎06-07-2015 12:11 AM

If the Search Heads are not forwarding sos logs to the indexing cluster you should create a static distributed peer for each SH on the master.
It´ll then see Search Heads logs althought they will be listed as Indexers on the topology.

Another way is to forward sos logs from the Search Head just to the Master if this could not be added to the indexing cluster disk usage.

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-07-2013 12:44 PM

@alacercogitatus has the gist of it but there are a few more details.

This is a 3-step process:

NB:

  • Don't forget to enable the scripted inputs ( lsof_sos.sh and ps_sos.sh) before pushing them out.
  • Due to a Splunk bug (SPL-64308), the file permissions of scripted inputs distributed by the cluster configuration bundle on the peers will be incorrect and will need to be manually corrected. This will be fixed in maintenance release 5.0.4.
Reply
Solved! Jump to solution

singhbc
Path Finder
‎07-30-2015 02:13 PM

Is it any different if the Search Heads are part of a SH Cluster? Still follow the same steps?

0 Karma
Reply
Solved! Jump to solution

sk314
Builder
‎07-30-2015 02:43 PM

I have a similar setup (2 search heads in a cluster, 3 clustered indexers).It's the same process. Install the S.o.S app on the search heads using the deployer.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎07-30-2015 06:33 PM

Or better yet: Since you are running Splunk 6.2, use the Distributed Management Console to monitor your Splunk deployment.

Note that as of right now, S.o.S is not certified on search-head clusters. Read more this here.

0 Karma
Reply
Solved! Jump to solution

andrey2007
Contributor
‎04-14-2015 08:32 AM

"Install the S.o.S app on the cluster master. This is the only instance where the "Cluster Master View" will work."
Is it the case for situation when I forward all indexes from Cluster Master to Indexers layer?

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎04-15-2015 10:45 AM

Yes, that will work fine.

0 Karma
Reply
Solved! Jump to solution

andrey2007
Contributor
‎04-27-2015 09:36 AM

Is it really the ONLY instance where the "Cluster Master View" will work" in case of forwarding of indexes?

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎04-27-2015 11:20 AM

Yes, because that view (and the "Bucket Fix-up Activity" view) depend on searches against the local (in other words, the Cluster Master's) REST API to be populated.

0 Karma
Reply
Solved! Jump to solution

andrey2007
Contributor
‎04-28-2015 12:38 AM

Ok, thank you for clarifying!

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎06-21-2013 01:21 PM
  1. You're welcome.
  2. You need to manually change the permissions on the peers etc/slave-apps/$APP/bin/* files.
  3. Not at this time. It will definitely be fixed with our next maintenance release (5.0.4) and may be a part of a special patch before that.
0 Karma
Reply
Solved! Jump to solution

agodoy
Communicator
‎06-21-2013 11:59 AM
  1. Thanks for the great response.
  2. The permissions in SPL-64308 can be change on the slave-apps directory on the peers or does it have to be changed in the bundle and redeploed?
  3. Is SPL-64308 available to the public?
0 Karma
Reply
Solved! Jump to solution

jtworzydlo
Path Finder
‎06-14-2013 02:33 AM

Thanks a lot for the detailes!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-28-2013 09:14 AM

You may want to consult this doc:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Clustersinscaledoutdeployments#Cluster_pee...

To Install SoS in a cluster, install the app on the search head, and the TA-sos on the indexers. Or use deploy-server to send the TA to the indexers.

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...