Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Deployment Server | Clustered environment 10.2.x

NullZero
Communicator
2 weeks ago

IHAC that has a distributed DS/LM/MC in a DMZ environment (see image). It's a new RHEL build on 10.2.2 and clients have their deploymentclient.conf set to call home to it. When I browse to it in the UI there are errors, I note this Help Article and others similar. The fix has not resolved the issue

What I'm tying myself in knots over is if the DS / Agent Manager needs to be able to despatch search to the Cluster Manager in the core environment in order to read the internal _ds* indexes. The same goes for Monitoring console and Licence functionality? I can drop the relevant TA with the clustering stanza (mode SH) onto this DMZ (DS/LM/MC) server but I just want to do it the right way. I think I may be over thinking this.

 

 

Labels (2)
Labels
Preview file
289 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

It would help to know the errors seen in the UI, but if the DS cannot search the _ds* indexes then the UI will not function properly. 

Add the relevant (probably custom) TA to the DS so it knows how to search the indexers.  The MC should already have distributed search configuration.  The CM does not need it and won't care if it's present.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

NullZero
Communicator
2 weeks ago

Thanks @richgalloway that's effectively the answer, I need to give this remote DS the ability so search the indexed data, so it must have the clustering stanza to call back to. It can't function just on the direct call in of clients.

server.conf

[clustering]
mode = searchhead
manager_uri = https://<hostname>:8089
pass4SymmKey = <string>

 

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

It would help to know the errors seen in the UI, but if the DS cannot search the _ds* indexes then the UI will not function properly. 

Add the relevant (probably custom) TA to the DS so it knows how to search the indexers.  The MC should already have distributed search configuration.  The CM does not need it and won't care if it's present.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...