Deployment Architecture

Distributed deployment and MC: Do I need to add SH if the SH is sending its data to IDX cluster?

MLGSPLUNK
Path Finder

Hi community.

Just preparing for my ARCH practical lab. I heard that it's mandatory to add to the MC the non clustered SH as a search peer. However, I already configured the SH to send its internal data to the IDX cluster I have deployed.

My question is: Do I need to also configure the SH as a search peer on the MC in order to be able to monitor it, or just with the cluster master as a search peer (it automatically adds all the clustered idx to the MC) will it do.

In theory if all the SH _internal data is at the IDX layer, the MC would take a look at the IDX cluster that contains the aleady forwarded _internal data from the SH, ritght?

Please provide an explanation so I can beat the practical lab. Thanks!

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @MLGSPLUNK,

MC is using REST calls to monitor Splunk Servers. That is why it should be able to access all Splunk Instances. Splunk can make REST calls only its search peers. 

Forwarding _internal data is required also to see all logs from one place.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @MLGSPLUNK,

MC is using REST calls to monitor Splunk Servers. That is why it should be able to access all Splunk Instances. Splunk can make REST calls only its search peers. 

Forwarding _internal data is required also to see all logs from one place.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

MLGSPLUNK
Path Finder

Thanks @scelikok for your fast answer, then it makes total sense for me, and learn something else.

So at the end:

- SH stablished as a search peer for the MC

- SH forward all its internals to idx cluster.

 

Ty.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...