- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an uncommon situation.
We have multiple Splunk instances on a single unix instance; two search heads, one deployer, and two indexers. The problem now is to setup a search head cluster.
Would someone please help with the configurations?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a similar setup for our test environment. With three instances for the search heads you can configure each one's server.conf separately. There is a stanza in server.conf that applies when search head clustering is enabled. By default it is [replication_port://] with the port being 9000 I believe. You can change these to be different on each instance. Something like:
Instance 1:
[replication_port://9000]
Instance 2:
[replication_port://9100]
Instance 3:
[replication_port://9200]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q: if there are more than 3 members, does the number of replication ports also increase - e.g. 4 members = 4 replication ports? What happens if you decide to just use the same port for all members?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a similar setup for our test environment. With three instances for the search heads you can configure each one's server.conf separately. There is a stanza in server.conf that applies when search head clustering is enabled. By default it is [replication_port://] with the port being 9000 I believe. You can change these to be different on each instance. Something like:
Instance 1:
[replication_port://9000]
Instance 2:
[replication_port://9100]
Instance 3:
[replication_port://9200]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As i tried this 9000 port in the peer side in the indexer, my indexer UI stuck please suggest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When setting up your search head cluster you can specify ports during configuration as well:
./splunk init shcluster-config -mgmt_uri https://:8x89 -replication_port 9x00 -secret shcluster
You'll want a different management port for each one as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mdsnmss - I'm SO glad you said that. I was kind of going crosseyed at the OP's setup until you said, "test instance"...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, purely to test configurations. We have run into some issues while testing SSL from forwarder to indexer doing this however.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, purely to test. Luckily Splunk + Linux is the best way to play around.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need at least three search heads for a SH cluster.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok., increased to three.