Deployment Architecture

Help setting up a search head cluster?

bofa123
New Member

New to Splunk, can anyone help me build a SH Cluster? Any videos would be great, I tried reading the tutorials on Splunk but i'm still confused. I already have a practice environment setup.

http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/SHCdeploymentoverview

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bofa123,
I deployed a search Head Cluster following instructions on documentation at http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/AboutSHC
I found only a problem (not documented in docs but in answers), described above

Shortly:

Deployer Configuration

  • Search Head Cluster Label Configuration:
    • in etc/system/local/server.conf file insert [shclustering] stanza
    • In that stanza insert row shcluster_label = my_cluster_label
  • Deployer's security key configuration:
    • In etc/system/local/server.conf file, insert own password (not encrypted) in row “pass4SymmKey” of [general] or [shclustering] stanza, at first restart Splunk will encrypt it
  • Restart Splunk

Cluster Members Configuration

  • run command
    • splunk init shcluster-config -auth ‘admin:password’ -mgmt_uri https://server_address:8089 -replication_port 8079 -replication_factor 3 -conf_deploy_fetch_url https://deployer_address:8089 -shcluster_label shcluster1
    • BEWARE: don't set –secret=password parameter (it's described in documentation!) because don't run!
  • splunk restart
  • modify in /opt/splunk/etc/system/local/server.conf file row pass4SymmKey inserting secret password in clear
  • splunk restart

Captain Configuration

Adding Search Peers

  • Distributed Search Configuration
  • Add Peer 1
  • URI peer https://Indexer_1_IP:8089
  • Remote User Service_User_On_Indexer_1
  • Remore Password Service_User_On_Indexer_1 password
  • Confirm Password on so on

Thn copy your Apps on Deployer and deploy them using Deployer.
All following updates will be automatically deployed by Cluster.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...