Deployment Architecture

How do I see what Splunk components are in my enviornment?

ochoa165
Explorer

Good Morning Everyone!

 

I am trying to see what components are in my Splunk environment.  I just inherited a system with splunk on it and as far as I know I am on a management server and i am accessing a splunk web client which i presume is the search head.... (that's one component down...i think).

I understand Splunk enterprise needs a forwarder...and an indexer and a search head to function correctly...but without knowing what components i have inherited i am not really sure that it is working.

 

also I have done some initial research on an message i received upon barely logging in... "The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch on an indexer..

 

^A)my research has shown me that its possible splunk is forwarding to itself.

B) i can remedy the error by editing the .conf file responsible for setting the min. quota

c) assess the storage available and allocate more space to said directory.

 

knowing the above options ...what do you think is best in my scenario? again i am super new to this enviornment

 

Labels (1)
0 Karma

meleegod
Engager

Hi!

Splunk instance can be configured as standalone deployment or as part of the clustered component. Standalone deployment basically inherits all of the components into a single instance where you can index incoming data and search them while acting as License Master and monitoring console. There is a possibility that your particular instance might be either standalone or part of indexer because normally other Splunk components are less likely to get alerts on free space. I probably begin by checking your host's disk utilization and check $SPLUNK_HOME/etc/system/local/server.conf to get any hint of this deployment. If you have [clustering]  stanza defined inside your server.conf file, high chance that there may be other Splunk components residing in your environment.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Serverconf

You can also use Splunk cmd btool to check configuration which should help you find out the topology of the deployment. 

https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/Usebtooltotroubleshootconfigurati...

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

This https://docs.splunk.com/Documentation/Splunk/8.1.1/InheritedDeployment/Introduction is a good starting point for new admins with new installation. Following it gives you a easy way to figure out what you have in your environment.

Your 2nd question. This means that you have run out of disk space on indexer and you need to get more space or update your retention to get more space.

a) splunk allways store it's internal logs to it's internal indexes (_<something>)

b) it will come back after some time and finally when you have run out of disk space your environment didn't work anymore.

c) Add more space for splunk and/or check retentions.

r. Ismo

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...