Getting Data In

What is the knowledge bundle deafult behavour? [Question was asked but i was incorrect in my understanding of a knowledge bundle]

robertlynch2020
Motivator

Hi

I have one search head and 2 search nodes(non clustered).

I have an app installed on the search head, but i had to manually install the app to the 2 search nodes, but i get the feeling this should have happened by default with "knowledge bundle".

http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Limittheknowledgebundlesize

Or do i have to specify my app specifically, if so how and where?
When i check my "search peers" i can see "Replication Status" = Successfull

Thanks in advance
Robert Lynch

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

If your indexers are currently not clustered, you could use a Deployment Server to push the app to all of your indexers. In a clustered environment, you would use the Cluster Master to do this.

Do you currently have a Deployment Server?

robertlynch2020
Motivator

HI

I started to us a Forwarder Management on a deployment server and it worked thanks 🙂

Robbie

0 Karma

robertlynch2020
Motivator

Hi

Thanks for the replay.
I don't have a Deployment server nor cluster master - what one would be easier to apply, i am assuming i need to get one.

http://docs.splunk.com/Documentation/Splunk/7.2.1/Updating/Planadeployment

However i am reading that a deployment server cant be a search head also. My plan was to change things in my search-head and these changes get pushed out to my search nodes.

So for example if i am logging into my search head and I make a change to my APP [Datamodel limits.conf etc..], I want this change to be take effect in my search nodes.

So if this is not possible how does it work? So would a cluster master be easier for this?

Thanks
Rob

0 Karma

ddrillic
Ultra Champion

First, about terminology - knowledge bundle is defined as -

What search heads send to search peers

-- When initiating a distributed search, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching across indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf. This set of knowledge objects is called the knowledge bundle.

And Replication Status is about data replication across indexers.

robertlynch2020
Motivator

Thanks. I was incorrect in my understanding. - Thanks for the correction

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...