Deployment Architecture

Can a Index Cluster master use it self for forwarding data to the Cluster peers?

las
Contributor

Hi All.

I was thinking about the configuration af an Index Cluster Deployer (formerly known as Master), where best practises are, that it should forward data to the index tier, this makes absolutely sense.

But why not use it self to define the peers, the same way all other forwarders use it.

So I get an outputs.conf with this content:

 

[indexer_discovery:master1]
pass4SymmKey = *****
master_uri = https://127.0.0.1:8089

[tcpout:prod]
indexerDiscovery = master1
useACK = true

[tcpout]
defaultGroup = prod

 

I tried it on a 8.1.0 just released instanse on Splunk Enterprise, but it seems I get some sort of race condition, where the Cluster Master isn't available when the TCP-out process need to uild the indexer list.

Has anybody else seen this, found a workaround or is this by design?

 

Kind regards and happy .conf

las

Labels (1)
1 Solution

las
Contributor

Reply from Support:

 

The issue only occurs when you have the Cluster Master and the Indexers running different versions of Splunk. When the CM is running 8.1 and the Indexers are running 8.0.5 the "Forwarding and receiving » Forward data" screen on the CM doesn't display the indexers and also the CM doesn't seem to be able to forward its internal logs to the indexers.

 

I then proceeded to do the following :

 

- Set the CM into maintenance-mode

- Stopped each indexer and then upgraded them to 8.1

- Started the indexers again

- Restarted the CM

- Disabled maintenance-mode on the CM

 

After doing this I checked the "Forwarding and receiving » Forward data" screen on the CM again and saw that all the indexers were now showing.

 

I then also performed a search on the _internal logs for the CM hostname and saw that the logs had now been fully forwarded onto the indexers.

 

So I would recommend performing the full upgrade of the CM and Indexers in one go and avoid running with mixed release versions for too long.

View solution in original post

las
Contributor

Reply from Support:

 

The issue only occurs when you have the Cluster Master and the Indexers running different versions of Splunk. When the CM is running 8.1 and the Indexers are running 8.0.5 the "Forwarding and receiving » Forward data" screen on the CM doesn't display the indexers and also the CM doesn't seem to be able to forward its internal logs to the indexers.

 

I then proceeded to do the following :

 

- Set the CM into maintenance-mode

- Stopped each indexer and then upgraded them to 8.1

- Started the indexers again

- Restarted the CM

- Disabled maintenance-mode on the CM

 

After doing this I checked the "Forwarding and receiving » Forward data" screen on the CM again and saw that all the indexers were now showing.

 

I then also performed a search on the _internal logs for the CM hostname and saw that the logs had now been fully forwarded onto the indexers.

 

So I would recommend performing the full upgrade of the CM and Indexers in one go and avoid running with mixed release versions for too long.

las
Contributor

I have created a ticket with support for this issue.
It seems that after restart of one of my search-heads, that also was unable to get the list of indexers.

I will post the result from support.

Kind regards

las

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...