Hi community.
Just preparing for my ARCH practical lab. I heard that it's mandatory to add to the MC the non clustered SH as a search peer. However, I already configured the SH to send its internal data to the IDX cluster I have deployed.
My question is: Do I need to also configure the SH as a search peer on the MC in order to be able to monitor it, or just with the cluster master as a search peer (it automatically adds all the clustered idx to the MC) will it do.
In theory if all the SH _internal data is at the IDX layer, the MC would take a look at the IDX cluster that contains the aleady forwarded _internal data from the SH, ritght?
Please provide an explanation so I can beat the practical lab. Thanks!
Hi @MLGSPLUNK,
MC is using REST calls to monitor Splunk Servers. That is why it should be able to access all Splunk Instances. Splunk can make REST calls only its search peers.
Forwarding _internal data is required also to see all logs from one place.
Hi @MLGSPLUNK,
MC is using REST calls to monitor Splunk Servers. That is why it should be able to access all Splunk Instances. Splunk can make REST calls only its search peers.
Forwarding _internal data is required also to see all logs from one place.
Thanks @scelikok for your fast answer, then it makes total sense for me, and learn something else.
So at the end:
- SH stablished as a search peer for the MC
- SH forward all its internals to idx cluster.
Ty.