Deployment Architecture

How to achieve distsearch.conf search head clustering?

gitingua
Communicator

Hello.

I can't change the file, or I might be doing something wrong.

Tell

I am editing distsearch.conf file
I delete the contents of servers 1.1.1.3, 1.1.1.4

[distributedSearch]
disabled = 0
servers = https://1.1.1.1:8089,https://1.1.1.2:8089,https://1.1.1.3:8089,https://1.1.1.4:8089

Restarting splunk
everything comes back.
I'm trying to delete via web. also does not apply. getting this error

"Error occurred attempting to remove 1.1.1.3:8089: Failed to proxy search-server command request to Captain. Reason : ERROR: There is no search peer with a URI of https://1.1.1.3:8089. Either the URI you entered is incorrect or the search peer has already been removed.. "

 

there is network access. everything works correctly.
But **bleep** it I can't delete it from the file

Maybe someone can tell me what I'm doing wrong. and is there any provision.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It sounds like you're editing the file directly on an SHC node.  That's the wrong way to manage a SHC.  Edit the file on your SHC Deployer and apply the shbundle.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

@richgalloway Fine. How can I remove the current changes? because I can't go back to how it was. my /opt/splunk/etc/system/local/distsearch.conf file is overwritten back

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, create an app in the $SPLUNK_HOME/etc/shcluster directory of your SHC Deployer.  The app will contain a distsearch.conf file.  Push the app to the cluster using the apply shcluster-bundle command.

Next, you need to delete the $SPLUNK_HOME/etc/system/local/distsearch.conf file from the SHC nodes.  I think the most effective way to do that is to stop all SHC members, delete the file, then restart the cluster.  Perhaps someone else will have a better answer that doesn't require an outage.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

@richgalloway 
deleted the file along the path /opt/splunk/etc/system/local/distsearch.conf     

on all sh  

created an application on the deployer server and created the apps/local/distsearch.conf file there with all the parameters    

 

push with the command
/opt/splunk/bin/splunk apply shcluster-bundle --answer-yes -target https://ip:8089 -preserve-lookups true

and along the path /opt/splunk/etc/system/local/distsearch.conf a new file was created and there was only a parameter
[root@splunk-sh local]# cat distsearch.conf
[distributedSearch]
servers = https://1.1.1.1:8089, https://1.1.1.2:8089, https://1.1.1.3:8089, https://1.1.1.4:8089

 

he created it again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's strange.

Have you tried removing the peers via the CLI?

splunk remove search-server -auth admin:password 1.1.1.1:8089
---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...