Deployment Architecture
Highlighted

How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

Engager

I have 4 servers in which 2 are clustered and are used as search heads, a 3rd one is Splunk Enterprise Security, and the 4th server is search head pooling. These are connected to indexers. I want to know how to find whether the environment is clustered or distributed. If it is distributed, then how should I add new index to it and pull logs into that index?

Thanks,
Nishwanth

0 Karma
Highlighted

Re: How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

SplunkTrust
SplunkTrust

To find out if a search head is running in a search head cluster, run this on the search head:

$SPLUNK_HOME/bin/splunk show shcluster-status

To find out if a search head is running in a search head pool, run this on the search head:

$SPLUNK_HOME/bin/splunk pooling display

To find out if an indexer is running in an indexer cluster, run this on the indexer:

$SPLUNK_HOME/bin/splunk show cluster-status

To define indexes in an indexer cluster, check out the docs at http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Configurethepeerindexes

To pull in logs, one of the good ways is forwarding - check out the docs at http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Aboutforwardingandreceivingdata

If you have inherited a complex legacy Splunk environment with little documentation and not a lot of experience, consider getting a local partner or Splunk professional services to help you bring things back to proper health.

View solution in original post

Highlighted

Re: How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

Engager

Thanks for your answer martin. If it is distributed how will I add new index to it.

0 Karma
Highlighted

Re: How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

SplunkTrust
SplunkTrust

If your indexers are distributed but not clustered, you go back a few chapters in the manual I linked above: http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Aboutmanagingindexes

0 Karma
Highlighted

Re: How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

Engager

Thanks for your reply martin.

0 Karma
Highlighted

Re: How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

SplunkTrust
SplunkTrust

Do mark this answer as accepted if it solved your question.

0 Karma
Highlighted

Re: How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

Path Finder

What should be the ideal output of the below command if the indexers are not running in clustered mode?

$SPLUNK_HOME/bin/splunk show cluster-status

0 Karma