Archive
Highlighted

servers-attribute of distsearch.conf not visible

Explorer

Hello I need a small clarification over distsearch.conf.

As per the documentation, to connect the SH with Indexer. One can configure in SH using any of the 3 ways : CLI, GUI & Conf file. The doc nicely describes it, Thanks for that.

In my case, the splunk env was already setup in my organisation. Now I am not aware which way was followed for adding search peer to search head.

Now in the SH GUI the "settings-->Distributed search-->Search peers" server entry is visible, and also the SH fetches the data from Indexer nicely. But my problem is I am not able to find out in which conf file that server settings are stored.

I tried to locate the distsearch.conf inside whole of splunk dir, but I could not find the server settings in anywhere. Further I tried to debug with btool cmd in SH and was surprised to see, even in that the servers settings are not visible.

Summarizing the Problem : The setting is visible in GUI, but no clue in which conf file that setting is getting stored.

0 Karma
Highlighted

Re: servers-attribute of distsearch.conf not visible

Champion

splunk btool distsearch list --debug

0 Karma
Highlighted

Re: servers-attribute of distsearch.conf not visible

Explorer

Thanks for your reply. I did try that, but no entries for servers in the output of above cmd. I have put the output of the above cmd below and also the settings from the GUI.

The GUI shows the settings, but the conf file doesn't have it stored anywhere.

GUI proof:

alt text

CMD output :

`[splunk@testserverSH bin]$ ./splunk btool distsearch list --debug
/opt/splunk/etc/system/default/distsearch.conf [bundleEnforcerBlacklist]
/opt/splunk/etc/system/default/distsearch.conf [bundleEnforcerWhitelist]
/opt/splunk/etc/system/default/distsearch.conf [distributedSearch]
/opt/splunk/etc/system/default/distsearch.conf authTokenConnectionTimeout = 5
/opt/splunk/etc/system/default/distsearch.conf authTokenReceiveTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf authTokenSendTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf bestEffortSearch = false
/opt/splunk/etc/system/default/distsearch.conf connectionTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf disabled = false
/opt/splunk/etc/system/default/distsearch.conf peerResolutionThreads = 0
/opt/splunk/etc/system/default/distsearch.conf receiveTimeout = 600
/opt/splunk/etc/system/default/distsearch.conf sendTimeout = 30
/opt/splunk/etc/system/default/distsearch.conf serverTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf servers =
/opt/splunk/etc/system/default/distsearch.conf shareBundles = true
/opt/splunk/etc/system/default/distsearch.conf statusTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf useSHPBundleReplication = true
/opt/splunk/etc/system/default/distsearch.conf [replicationBlacklist]
/opt/splunk/etc/system/default/distsearch.conf conf = (system|(apps/*))/(default|local)/server.conf
/opt/splunk/etc/system/default/distsearch.conf framework = apps/framework/...
/opt/splunk/etc/system/default/distsearch.conf sampleapp = apps/sample
app/...
/opt/splunk/etc/system/default/distsearch.conf userspecificmeta = users(/reserved)?///metadata/local.meta
/opt/splunk/etc/system/default/distsearch.conf [replicationSettings]
/opt/splunk/etc/system/default/distsearch.conf allowDeltaUpload = true
/opt/splunk/etc/system/default/distsearch.conf allowSkipEncoding = true
/opt/splunk/etc/system/default/distsearch.conf allowStreamUpload = auto
/opt/splunk/etc/system/default/distsearch.conf concerningReplicatedFileSize = 50
/opt/splunk/etc/system/default/distsearch.conf connectionTimeout = 60
/opt/splunk/etc/system/default/distsearch.conf maxBundleSize = 1024
/opt/splunk/etc/system/default/distsearch.conf maxMemoryBundleSize = 10
/opt/splunk/etc/system/default/distsearch.conf replicationThreads = 5
/opt/splunk/etc/system/default/distsearch.conf sanitizeMetaFiles = true
/opt/splunk/etc/system/default/distsearch.conf sendRcvTimeout = 60
/opt/splunk/etc/system/default/distsearch.conf [replicationSettings:refineConf]
/opt/splunk/etc/system/default/distsearch.conf replicate.app = true
/opt/splunk/etc/system/default/distsearch.conf replicate.authorize = true
/opt/splunk/etc/system/default/distsearch.conf replicate.collections = true
/opt/splunk/etc/system/default/distsearch.conf replicate.commands = true
/opt/splunk/etc/system/default/distsearch.conf replicate.eventtypes = true
/opt/splunk/etc/system/default/distsearch.conf replicate.fields = true
/opt/splunk/etc/system/default/distsearch.conf replicate.literals = true
/opt/splunk/etc/system/default/distsearch.conf replicate.multikv = true
/opt/splunk/etc/system/default/distsearch.conf replicate.props = true
/opt/splunk/etc/system/default/distsearch.conf replicate.segmenters = true
/opt/splunk/etc/system/default/distsearch.conf replicate.tags = true
/opt/splunk/etc/system/default/distsearch.conf replicate.transactiontypes = true
/opt/splunk/etc/system/default/distsearch.conf replicate.transforms = true
/opt/splunk/etc/system/default/distsearch.conf [replicationWhitelist]
/opt/splunk/etc/system/default/distsearch.conf other = (system|(apps/(?!pdfserver)*)|users(/
reserved)?//)/(bin|lookups)/...
/opt/splunk/etc/system/default/distsearch.conf refine.conf = (system|(apps/)|users(/_reserved)?//)/(default|local)/.conf
/opt/splunk/etc/system/default/distsearch.conf refine.metadata = (system|(apps/)|users(/_reserved)?//)/metadata/.meta
/opt/splunk/etc/system/default/distsearch.conf searchscripts = searchscripts/...
/opt/splunk/etc/system/default/distsearch.conf [tokenExchKeys]
/opt/splunk/etc/system/default/distsearch.conf certDir = $SPLUNKHOME/etc/auth/distServerKeys
/opt/splunk/etc/system/default/distsearch.conf genKeyScript = $SPLUNK
HOME/bin/splunk, createssl, audit-keys
/opt/splunk/etc/system/default/distsearch.conf privateKey = private.pem
/opt/splunk/etc/system/default/distsearch.conf publicKey = trusted.pem

[splunk@test_serverSH bin]$ `

0 Karma