Deployment Architecture

How to achieve distsearch.conf search head clustering?

gitingua
Communicator

Hello.

I can't change the file, or I might be doing something wrong.

Tell

I am editing distsearch.conf file
I delete the contents of servers 1.1.1.3, 1.1.1.4

[distributedSearch]
disabled = 0
servers = https://1.1.1.1:8089,https://1.1.1.2:8089,https://1.1.1.3:8089,https://1.1.1.4:8089

Restarting splunk
everything comes back.
I'm trying to delete via web. also does not apply. getting this error

"Error occurred attempting to remove 1.1.1.3:8089: Failed to proxy search-server command request to Captain. Reason : ERROR: There is no search peer with a URI of https://1.1.1.3:8089. Either the URI you entered is incorrect or the search peer has already been removed.. "

 

there is network access. everything works correctly.
But **bleep** it I can't delete it from the file

Maybe someone can tell me what I'm doing wrong. and is there any provision.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It sounds like you're editing the file directly on an SHC node.  That's the wrong way to manage a SHC.  Edit the file on your SHC Deployer and apply the shbundle.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

@richgalloway Fine. How can I remove the current changes? because I can't go back to how it was. my /opt/splunk/etc/system/local/distsearch.conf file is overwritten back

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, create an app in the $SPLUNK_HOME/etc/shcluster directory of your SHC Deployer.  The app will contain a distsearch.conf file.  Push the app to the cluster using the apply shcluster-bundle command.

Next, you need to delete the $SPLUNK_HOME/etc/system/local/distsearch.conf file from the SHC nodes.  I think the most effective way to do that is to stop all SHC members, delete the file, then restart the cluster.  Perhaps someone else will have a better answer that doesn't require an outage.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

@richgalloway 
deleted the file along the path /opt/splunk/etc/system/local/distsearch.conf     

on all sh  

created an application on the deployer server and created the apps/local/distsearch.conf file there with all the parameters    

 

push with the command
/opt/splunk/bin/splunk apply shcluster-bundle --answer-yes -target https://ip:8089 -preserve-lookups true

and along the path /opt/splunk/etc/system/local/distsearch.conf a new file was created and there was only a parameter
[root@splunk-sh local]# cat distsearch.conf
[distributedSearch]
servers = https://1.1.1.1:8089, https://1.1.1.2:8089, https://1.1.1.3:8089, https://1.1.1.4:8089

 

he created it again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's strange.

Have you tried removing the peers via the CLI?

splunk remove search-server -auth admin:password 1.1.1.1:8089
---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...