I have set up Index peering cluster, where one node is index cluster master and rest two nodes are peer nodes.
Index has been successfully pushed and distributed among the peers.
Now I have added data input in one of the peer index node, now if i try to search it, is not visible ..on the other hand if i add data input in Index cluster manager (master) node , the data is visible on the search result?
Is it possible to distribute the data input to the peers? Or the data should always be pushed to Index master?
Please clear my concept.
First of all I would recommend to read this doc:
The concept goes like this:
Splunk has 3 main layers in its architecture:
Each layer can have 1 machine or many machines.
1 Machine approach:
1 Search head
Multiple machines in the search layer:
x Search heads in search head cluster (+deployer)
Multiple machines in the indxer layer:
1 Search head
x indexers in indexer cluster (+cluster master)
And so on...
You need to set up a Search head and configure it within the Indexer Cluster, as a Search head.
That way, the search head will search in all indexes in the cluster peers.
Configuration of search head in Indexer Cluster:
If you would like the indexers in the cluster to balance the arriving data between each other, you need to setup a forwarder that sends the data to both of them in a load-balance manner.
Configuration of load balance forward.
Here is what I have done and now what I want to achieve.
I created Index file in master index under $splunk_home/etc/master_apps and distrbuted among the peers.
Now I have created a normal file with content for Files & Directories data input. And I have created data input file in master. No I am able to see the contents of the file in master index search head.
But if I try to search same in Index peers , it is not visible. Ideally since the data is processed in peer index shouldnt it be viisble in peer index also.
So here my doubt is , if I want forward my log to splunk index master , will not it be visible in peers. And also is there anyway I can check whether the data is being processed by which indx peers?
I believe you have a misunderstood the purpose of the cluster master.
It is not purposed to deliver events into the indexers, but only to manager their settings.
To deliver events (forward events), you would need to set up a forwarder machine.
Having said that, it is technically possible to use a cluster master and a heavy forwarder on the same splunk instance, but it's not recommended.
Configure your cluster master to forward into the indexers as described here:
if you use a master, you should only distribute your settings via the master server (usually $SPLUNK_HOME/etc/master-apps/). Because if you place your settings in one indexer manually, it will not get replicated to the other indexers.