Archive
Highlighted

about adding indexers and search header questions.

Communicator

1、"Index" is my master node, why does it appear on my search head list? I try to type "splunk remove shcluster-member" on the index master node, it prompts the following information:

alt text

2、My original index cluster has three indexers. The set replication factor is: 3. The search factor is 2. Now I have added an indexer to the index cluster. Question: Why does the new indexer's default index have data, and other custom indexes do not have data? Should my copy factor be changed to "4"?

alt text

Tags (2)
0 Karma
Highlighted

Re: about adding indexers and search header questions.

SplunkTrust
SplunkTrust

hello xsstest,
first question,
the Cluster Master (here the Splunk instance names index) is always a Search Peer for the Indexer Cluster
i am aware the terminology of Splunk can be sometimes confusing, but its important to understand the terms of different Clusters
Indexer Cluster - Search Peer = an instance that searches that particular cluster (can be many Search peers and they dont have to be clustered themselves)
Search head Cluster - Search Head Members, are search heads that are part of the Search Head Cluster
Your Cluster Master (index) is not a part of a Search Head Cluster, on a side note, i dont know if you have a search head cluster. and therefore the command you execute will not affect it.
the screen you are looking at is the Cluster Master view and it shows all the Search Peers regardless.
as for your second question,
did you verify all indexes configuration were replicated to the new indexer?
did you set repFactor = auto ?
did you set forwarders outputs to reflect new Indexer or you use the Indexer discovery function?
hope it helps

View solution in original post

0 Karma
Highlighted

Re: about adding indexers and search header questions.

Communicator

first question,
I do have a search head cluster.

Second question:

repFactor = auto on /opt/splunk/etc/slave-apps/_cluster/deafult/indexes.conf file ?

and my forwarders outputs configuration is as follows

vim /opt/splunkforwarder/etc/apps/search/default/outputs.conf

[indexerdiscovery:master1]
pass4SymmKey = xxxxxxx
master
uri = https://mster node IP:8089

[tcpout:group1]
autoLBFrequency = 30
forceTimebasedAutoLB = true
indexerDiscovery = master1
useACK = true

[tcpout]
defaultGroup = group1

0 Karma
Highlighted

Re: about adding indexers and search header questions.

Communicator

How do I use the Indexer discovery function

0 Karma
Highlighted

Re: about adding indexers and search header questions.

SplunkTrust
SplunkTrust

looks like you are using the indexer discovery function.
your outputs looks ok as well
the outputs location looks odd, it is under the app search and the default directory.
not the best place to be
regarding repFactor, yes
this is from docs:

   repFactor = 0|auto
    * Valid only for indexer cluster peer nodes.
    * Determines whether an index gets replicated.
    * Value of 0 turns off replication for this index.
    * Value of "auto" turns on replication for this index.
    * This attribute must be set to the same value on all peer nodes.
    * Defaults to 0.

if it sums it up, kindly mark question as answered

0 Karma