Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do we deal with a new IP segment for our cluster?

efaundez
Path Finder
‎09-24-2018 07:14 AM

Good morning,

It is required to change the entire ip segment of our cluster since the interfaces will be changed to one of higher speed (fiber).

Is there any recommendation for this activity? as for example, perform maintenance mode, change ip's master, deployer ... etc etc?

This configuration is found in the servers.conf of each machine. It will be as easy as editing this file and update to the new IPs?

Regards

0 Karma
Reply

amiftah
Communicator
‎09-24-2018 08:55 AM
  1. Run splunk enable maintenance-mode on the master node
  2. Update your server.conf
  3. Restart the master-node
  4. Run the health check, must be in a searchable state
  5. In the indexers, update master_uri in servers.conf: -master_uri = https://newhost:8089
  6. Restart peers: UI: Settings > Rolling restart CLI: splunk rolling-restart cluster-peers
  7. In the search-head, update master_ur in servers.conf: -master_uri = https://newhost:8089
  8. Restart SH
  9. Disable maintenance mode for master node
  10. Make sure the forwarders point to the new indexers

Some useful links:
http://docs.splunk.com/Documentation/Splunk/7.1.3/Indexer/Restartthecluster
http://docs.splunk.com/Documentation/Splunk/7.1.3/Indexer/Handlemasternodefailure

0 Karma
Reply

efaundez
Path Finder
‎09-24-2018 09:03 AM

Hi, thanks for your response.

     When making these changes at some time the cluster will be unavailable for some time? since I must change the ip's:

1- Master
2- Deplyer
3- Indexer
4- Sh's
5- HF's
6- UF's

   If I get to change the ip of the master and the indexer's the sh will have problems when trying to access the data since it has changed the network segment of these.

   The same for the HF and UF since they will point directly to the old indexers and will have to be modified 1 by 1.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...