Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Add second index cluster to search head

trevor_dunstan8
Explorer
‎03-10-2021 10:38 PM

Hi all,

Ill try and keep it short and to the point. 

We have a standalone search head that is currently connected to an index cluster with 4 peers. We would now like to connect a second 3 peer index cluster that is hosted in AWS.

When I add the AWS cluster master to the search head via Settings -> Indexer Clustering it actually fails to connect due to the below error:

Master has multisite enabled but the search head is missing the 'multisite' attribute'

but if I configure in the server.conf file and reboot, the AWS cluster master connects fine but the 3 peers do not appear as per below screenshot and I am not able to search the indexes.

   Peers.PNG

If I manually add the index peers under Settings -> Distributed Search -> New Search Peer, the peers add fine and I am able to search indexes in AWS as required. 

I need the peers to be discovered automatically by the search head via the cluster master as the AWS indexers are rebuilt on a regular basis.

Below is the server.conf on our search head

server.conf.PNGand I have been informed that autodiscovery is enabled on the AWS Cluster master.

I have logged a case with Splunk but thought I would try here as well.

Any information would be appreciated

Thanks

 

Trev

Labels (1)
Labels
0 Karma
Reply

trevor_dunstan8
Explorer
‎03-16-2021 07:37 PM

Issue turned out to be a DNS issue and our search head was not able to resolve DNS names for the indexers in AWS. As an interim solution we have updated the hosts file on the search head with the AWS pool of IP addresses and hostnames for the AWS indexers. Not elegant by any means but is temporary until DNS forwarders can be set up.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-17-2021 03:44 AM

Hi

we are using DNS names on all configurations and updated those when creating new server / after termination , when server brings up with different IP. This has done on our ansible scripts by calling r53 services. Is this suitable option for you?

r. Ismo

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-11-2021 12:04 AM
Hi
Otherwise it seems to be correct, but can you add multisite = false to onperm-master stanza?
r. Ismo
0 Karma
Reply

trevor_dunstan8
Explorer
‎03-10-2021 10:40 PM

I should have also mentioned that FW rules appear to be in place as I am able to SSH directly to the AWS cluster master and AWS indexers from our search head over port 8089

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...