I inherited a one SH and 2 indexers , 1 LM, one Deployment server supporting forwarders.
I have too on board data and not sure if I have to go to each indexer to update indexes.conf and props.conf ?
On the Deployment server I created APP , serverclass.conf and configured the UF with serverclass.conf
I configured an current existing index in the inputs.conf that I distributed to the UF. The UF was installed as root and owned by root. so I believe i can elimination log file permissions on the UF
It would be greatly appreciated if you share your knowledge and approach on managing NON - Clustered indexers please.
3 non clustered indexers I have
Hi @jcorcoran508,
you can manage your Indexers in two ways and each way has pros and cons:
You can manage Indexers using the Deployment Servers:
As second choice, you could manually upgrade each Indexer:
At the end, if the little downtime for Indexers restart isn't a problem, I hint to use the Deployment Server, especially if you have only logs from Universal Forwarders that cache logs during downtime.
At the same time, if you have storage availability, I hint to pass to a cluster that gives you high availability.
Ciao.
Giuseppe
Hi @jcorcoran508,
you can manage your Indexers in two ways and each way has pros and cons:
You can manage Indexers using the Deployment Servers:
As second choice, you could manually upgrade each Indexer:
At the end, if the little downtime for Indexers restart isn't a problem, I hint to use the Deployment Server, especially if you have only logs from Universal Forwarders that cache logs during downtime.
At the same time, if you have storage availability, I hint to pass to a cluster that gives you high availability.
Ciao.
Giuseppe
Hi @jcorcoran508,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
A sophisticated version of manual update is use e.g. ansible to handle the deployment of those conf files. Just ensure that you have "serial: 1" on playbook and then those deployment steps are run one by one.
But if it's possible I propose to start to use cluster for several indexers. Then you will get also better availability for your data.
r. Ismo