Deployment Architecture

Can you help me with an Issue building a Splunk cluster?

a238574
Path Finder

I manage a couple of small Splunk clusters, and for the 1st time, I need to build one form scratch. I am testing in our sandbox environment, but when I bring the cluster up, I end up with index issues that can't seem to be resolved.

cannot fix up search factor as bucket is not serviceable
Cannot fix search count as the bucket hasn't rolled yet.

The above messages show up for every bucket in the _audit and _internal indexes. The build is a fairly simple one: 2 indexer peers, 1 master, and 1 dedicated search head

1- It's RHEL based
2- Install the rpm, 7.0.3 is the version I am playing with
3 - Set the firewall rules to allow the traffic
4 - /opt/splunk/bin/splunk enable boot-start -user root --accept-license
5 - /opt/splunk/bin/splunk start --accept-license

For the master I run - /opt/splunk/bin/splunk edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret xxx -cluster_label test

For the indexer peers - /opt/splunk/bin/splunk edit cluster-config -mode slave -master_uri https://xx.xxx.xx.xx:8089 -replication_port 9887 -secret xxx

For the Search head - /opt/splunk/bin/splunk edit cluster-config -mode searchhead -master_uri https://xx.x.xxx.xx:8089 -secret xxx

Restart Splunk on the master, then configure the other nodes and restart Splunk.

Not sure what I am missing or doing wrong.

0 Karma
1 Solution

a238574
Path Finder

Found the issue. I had copied the rhel firewall rules from another splunk env that had modified the replication port from 9887 to 8080. Once I fixed the rules the index issues were automatically fixed.

View solution in original post

0 Karma

a238574
Path Finder

Found the issue. I had copied the rhel firewall rules from another splunk env that had modified the replication port from 9887 to 8080. Once I fixed the rules the index issues were automatically fixed.

0 Karma

MuS
SplunkTrust
SplunkTrust

You are building an index cluster with 1 node and configure replication_factor=2 , this cannot work. You would need at least 2 nodes to make it work.

cheers, MuS

0 Karma

a238574
Path Finder

Its got 4 nodes 1 for each function 2 indexer peers, 1 master, and 1 dedicated search head

0 Karma

a238574
Path Finder

The steps are the same for each node except for the cluster config command

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...