- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to achieve distsearch.conf search head cluster...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to achieve distsearch.conf search head clustering?
Hello.
I can't change the file, or I might be doing something wrong.
Tell
I am editing distsearch.conf file
I delete the contents of servers 1.1.1.3, 1.1.1.4
[distributedSearch]
disabled = 0
servers = https://1.1.1.1:8089,https://1.1.1.2:8089,https://1.1.1.3:8089,https://1.1.1.4:8089
Restarting splunk
everything comes back.
I'm trying to delete via web. also does not apply. getting this error
"Error occurred attempting to remove 1.1.1.3:8089: Failed to proxy search-server command request to Captain. Reason : ERROR: There is no search peer with a URI of https://1.1.1.3:8089. Either the URI you entered is incorrect or the search peer has already been removed.. "
there is network access. everything works correctly.
But **bleep** it I can't delete it from the file
Maybe someone can tell me what I'm doing wrong. and is there any provision.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you're editing the file directly on an SHC node. That's the wrong way to manage a SHC. Edit the file on your SHC Deployer and apply the shbundle.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway Fine. How can I remove the current changes? because I can't go back to how it was. my /opt/splunk/etc/system/local/distsearch.conf file is overwritten back
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, create an app in the $SPLUNK_HOME/etc/shcluster directory of your SHC Deployer. The app will contain a distsearch.conf file. Push the app to the cluster using the apply shcluster-bundle command.
Next, you need to delete the $SPLUNK_HOME/etc/system/local/distsearch.conf file from the SHC nodes. I think the most effective way to do that is to stop all SHC members, delete the file, then restart the cluster. Perhaps someone else will have a better answer that doesn't require an outage.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway
deleted the file along the path /opt/splunk/etc/system/local/distsearch.conf
on all sh
created an application on the deployer server and created the apps/local/distsearch.conf file there with all the parameters
push with the command
/opt/splunk/bin/splunk apply shcluster-bundle --answer-yes -target https://ip:8089 -preserve-lookups true
and along the path /opt/splunk/etc/system/local/distsearch.conf a new file was created and there was only a parameter
[root@splunk-sh local]# cat distsearch.conf
[distributedSearch]
servers = https://1.1.1.1:8089, https://1.1.1.2:8089, https://1.1.1.3:8089, https://1.1.1.4:8089
he created it again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's strange.
Have you tried removing the peers via the CLI?
splunk remove search-server -auth admin:password 1.1.1.1:8089If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
