I am setting up Fire Brigade v 2.0.3 to monitor my splunk deployment (using index clustering with RF = 5 and SF = 3). The documentation for Fire Brigade provided a brief discussion for a few options in terms of deployment, but I am a little unclear still as to the recommended deployment when monitoring an indexer cluster. It seems like my options are as follows:
I am also not really clear on configuring the monitoredindexes.csv. Firstly, I don't find anything so far in the Fire Brigade UI for configuring this csv. Secondly, looking on the stand-alone sh where I currently deployed FB and its TA doing a 'find /opt/splunk -name monitoredindexes*' as the root account returned no file. Same situation when looking for this file on the index cluster master (I uploaded the TA to the master in case it is recommended to apply the TA across the cluster).
Firebrigade-TA goes on the indexers, it can be deployed with 'master-apps' on the CM.
The app itself will go on a search head, doesn't need to be the CM.
As for monitored indexes, there is a saved search that runs every night in the early AM. It builds that list based on all the indexes that are replicating.
Install that, and wait. It will be populated within 24 hours, as I believe is noted in the docs.
Thanks esix_splunk - doing your recommended config now.
FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
If you have any questions, ping the developer of the app @sowings