Deployment Architecture

Help setting up a search head cluster?

bofa123
New Member

New to Splunk, can anyone help me build a SH Cluster? Any videos would be great, I tried reading the tutorials on Splunk but i'm still confused. I already have a practice environment setup.

http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/SHCdeploymentoverview

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bofa123,
I deployed a search Head Cluster following instructions on documentation at http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/AboutSHC
I found only a problem (not documented in docs but in answers), described above

Shortly:

Deployer Configuration

  • Search Head Cluster Label Configuration:
    • in etc/system/local/server.conf file insert [shclustering] stanza
    • In that stanza insert row shcluster_label = my_cluster_label
  • Deployer's security key configuration:
    • In etc/system/local/server.conf file, insert own password (not encrypted) in row “pass4SymmKey” of [general] or [shclustering] stanza, at first restart Splunk will encrypt it
  • Restart Splunk

Cluster Members Configuration

  • run command
    • splunk init shcluster-config -auth ‘admin:password’ -mgmt_uri https://server_address:8089 -replication_port 8079 -replication_factor 3 -conf_deploy_fetch_url https://deployer_address:8089 -shcluster_label shcluster1
    • BEWARE: don't set –secret=password parameter (it's described in documentation!) because don't run!
  • splunk restart
  • modify in /opt/splunk/etc/system/local/server.conf file row pass4SymmKey inserting secret password in clear
  • splunk restart

Captain Configuration

Adding Search Peers

  • Distributed Search Configuration
  • Add Peer 1
  • URI peer https://Indexer_1_IP:8089
  • Remote User Service_User_On_Indexer_1
  • Remore Password Service_User_On_Indexer_1 password
  • Confirm Password on so on

Thn copy your Apps on Deployer and deploy them using Deployer.
All following updates will be automatically deployed by Cluster.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...