Deployment Architecture

Help setting up a search head cluster?

bofa123
New Member

New to Splunk, can anyone help me build a SH Cluster? Any videos would be great, I tried reading the tutorials on Splunk but i'm still confused. I already have a practice environment setup.

http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/SHCdeploymentoverview

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bofa123,
I deployed a search Head Cluster following instructions on documentation at http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/AboutSHC
I found only a problem (not documented in docs but in answers), described above

Shortly:

Deployer Configuration

  • Search Head Cluster Label Configuration:
    • in etc/system/local/server.conf file insert [shclustering] stanza
    • In that stanza insert row shcluster_label = my_cluster_label
  • Deployer's security key configuration:
    • In etc/system/local/server.conf file, insert own password (not encrypted) in row “pass4SymmKey” of [general] or [shclustering] stanza, at first restart Splunk will encrypt it
  • Restart Splunk

Cluster Members Configuration

  • run command
    • splunk init shcluster-config -auth ‘admin:password’ -mgmt_uri https://server_address:8089 -replication_port 8079 -replication_factor 3 -conf_deploy_fetch_url https://deployer_address:8089 -shcluster_label shcluster1
    • BEWARE: don't set –secret=password parameter (it's described in documentation!) because don't run!
  • splunk restart
  • modify in /opt/splunk/etc/system/local/server.conf file row pass4SymmKey inserting secret password in clear
  • splunk restart

Captain Configuration

Adding Search Peers

  • Distributed Search Configuration
  • Add Peer 1
  • URI peer https://Indexer_1_IP:8089
  • Remote User Service_User_On_Indexer_1
  • Remore Password Service_User_On_Indexer_1 password
  • Confirm Password on so on

Thn copy your Apps on Deployer and deploy them using Deployer.
All following updates will be automatically deployed by Cluster.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...