Deployment Architecture

How do I configure Distributed Search Groups for a clustered Indexer environment?

fernandoandre
Communicator

Question: How to configure Distributed Search Groups - distsearch.conf - on a Search head that run searches across both on clustered indexers and non-cluster indexers?

Context:
The documentation on "Configure distributed search groups" 1 explains on how to define distributed search groups using distsearch.conf on the Search Head but only for the use case of non-clustered peers/indexers.
However, the documentation mentions the following:

These are some examples of indexer cluster deployments where distributed search groups might be of value:
Search heads that run searches across both an indexer cluster and standalone indexers. You might want to put the standalone indexers into their own group.

Problem:
We already use this distributed search group feature for non-clustered indexers. However, we haven't been successful in enabling this feature to work for non-clustered and clustered indexers (without using DMC).

[distributedSearch:groupIDX1]
default = false
servers = myserver1:8089, myserver2:8089

[distributedSearch:groupIDX2]
default = false
servers = myserver3:8089, myserver4:8089

[distributedSearch:groupIDXClustered]
default = false
servers = myserverCluster1:8089, myserverCluster2, myserverCluster3:8089

With a configuration similar to the above we get the warning on the search:

warn : Search filters specified using splunk_server/splunk_server_group do not match any search peer.

Has anyone been successful in configuring Distributed Search Groups for clustered Indexers?

chris
Motivator

Did you ever manage resolve this?

0 Karma

adonio
Ultra Champion

i might be mistaken, but i dont think you can do it in an indexer cluster configuration, as the peers and the groups are being inherited from the cluster master, when you connect the search head to it.
as of the example in docs, my understanding is that the clustered indexer are one group and the other indexers are distributed...
would like to learn if there is a way to do it.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...