Deployment Architecture

Can we distribute data inputs in splunk?

shahk
Explorer

Hi,

I have set up Index peering cluster, where one node is index cluster master and rest two nodes are peer nodes.
Index has been successfully pushed and distributed among the peers.
Now I have added data input in one of the peer index node, now if i try to search it, is not visible ..on the other hand if i add data input in Index cluster manager (master) node , the data is visible on the search result?

Is it possible to distribute the data input to the peers? Or the data should always be pushed to Index master?

Please clear my concept.

Regards,
Krimesh

Tags (1)
0 Karma

ehudb
Contributor

First of all I would recommend to read this doc:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Basicclusterarchitecture

The concept goes like this:

Splunk has 3 main layers in its architecture:
Search
Index
Forward

Each layer can have 1 machine or many machines.
1 Machine approach:

1 Search head
1 Indexer
1 Forwarder

Multiple machines in the search layer:
x Search heads in search head cluster (+deployer)
1 Indexer
1 Forwarder

Multiple machines in the indxer layer:
1 Search head
x indexers in indexer cluster (+cluster master)
1 Forwarder

And so on...

Search configuration

You need to set up a Search head and configure it within the Indexer Cluster, as a Search head.
That way, the search head will search in all indexes in the cluster peers.

Configuration of search head in Indexer Cluster:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Enablethesearchhead

Forwarder configuration

If you would like the indexers in the cluster to balance the arriving data between each other, you need to setup a forwarder that sends the data to both of them in a load-balance manner.

Configuration of load balance forward.
http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/Configureloadbalancing

0 Karma

shahk
Explorer

Thanks ehudb,

Here is what I have done and now what I want to achieve.

I created Index file in master index under $splunk_home/etc/master_apps and distrbuted among the peers.
Now I have created a normal file with content for Files & Directories data input. And I have created data input file in master. No I am able to see the contents of the file in master index search head.

But if I try to search same in Index peers , it is not visible. Ideally since the data is processed in peer index shouldnt it be viisble in peer index also.

So here my doubt is , if I want forward my log to splunk index master , will not it be visible in peers. And also is there anyway I can check whether the data is being processed by which indx peers?

Regards,
Krimesh

0 Karma

ehudb
Contributor

I believe you have a misunderstood the purpose of the cluster master.
It is not purposed to deliver events into the indexers, but only to manager their settings.

To deliver events (forward events), you would need to set up a forwarder machine.


Having said that, it is technically possible to use a cluster master and a heavy forwarder on the same splunk instance, but it's not recommended.
Configure your cluster master to forward into the indexers as described here:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Forwardmasterdata

0 Karma

skalliger
Motivator

Hi,

if you use a master, you should only distribute your settings via the master server (usually $SPLUNK_HOME/etc/master-apps/). Because if you place your settings in one indexer manually, it will not get replicated to the other indexers.

Skalli

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...