Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk indexer node unable to join the cluster

skrish91
Path Finder
‎05-16-2019 08:32 AM

I have an indexer cluster with 1 master and 2 peer nodes. The peer nodes machine got rebooted suddenly and now 1 of the peer node is showing status DOWN. I have tried restarting the node but it doesnt help. The replication factor for the cluster is 2. I have also tried adding the node to the cluster again and it complains the secret key is wrong. Is there any way I could find the secret key from the master or the working node? What is the best way to fix this issue and make the peer join the cluster?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nareshinsvu
Builder
‎08-04-2019 07:13 PM

As everyone mentioned, change the server.conf files on Master and indexer nodes
followed by a splunk restart of Master and then indexers

https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Enableclustersindetail#Configure_the_secu...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nareshinsvu
Builder
‎08-04-2019 07:13 PM

As everyone mentioned, change the server.conf files on Master and indexer nodes
followed by a splunk restart of Master and then indexers

https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Enableclustersindetail#Configure_the_secu...

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎05-16-2019 10:27 AM

@skrish91 if you do not have access to keys, then assign new keys . It must be pass4symmkey in server.conf for cluster.
Assign a new password/key on all the 3 servers and rebooting would encrypt it. Make sure you change pass4symmkey only for your indexer cluster stanza in server.conf.

Use this document-

https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Enableclustersindetail#Configure_the_secu...

0 Karma
Reply
Solved! Jump to solution

skrish91
Path Finder
‎05-16-2019 10:43 AM

I tried changing the pass4symmkey under [clustering] section. When I change that and restart the services on all the machines, master and node2 is ok but the node1 shows its DOWN. This was weird.

0 Karma
Reply
Solved! Jump to solution

Jarohnimo
Builder
‎08-04-2019 03:04 PM

Change the pass4 key to whatever you'd like. You'd have to change it in both cluster master and indexer nodes if you don't remember It, and then restart the nodes starting with the Master node first (you can do it from the gui).

0 Karma
Reply
Solved! Jump to solution

codebuilder
Influencer
‎05-17-2019 01:17 PM

The pass4SymmKey under [general] also needs to match on all nodes in the cluster.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...