Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to see all indexers by default.

CableB0y
Engager
‎06-26-2020 07:42 PM

I've recently started a new job, of which one of my duties is to take over managing splunk from the previous administrator who left short notice. I've got SOME lab knowledge of splunk, and have been a user, but never an administrator so I'm not really sure if we're meeting best practice with this current architecture.

Our current design is 1 x (SearchHead/Indexer), and three search peers, all of which are configured within 'Distributed Search -> Search Peers'. The problem is that whenever I search any events, I only see events from distributed peers, and not from the indexer running on the search head. I'm able to verify that it is indeed indexing data, but I have to explicitly add the SPL 'splunk_server=*'. Is this due to my current configuration, or is it possible I'm missing something in the configs?

Appreciate any help anyone can provide!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-01-2020 09:41 AM

Usually in distributed environment the same node is not SH and IDX at the same time. It’s against best practices. I think that until you fix it you need to use it also a search peer in distsearch.conf or always add splunk_server=* to your searches.

Here is some instructions which could help you:

https://docs.splunk.com/Documentation/Splunk/8.0.4/InheritedDeployment/Introduction
https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

r. Ismo

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-26-2020 10:06 PM

Hi @CableB0y ,

check if (as Splunk best practices say!) your indexer is configured to forward its logs to Indexers [Settings -- Forward and Receiving -- Forwarding].

If yes, check if in your Indexers there's the missing index, if not add it.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

CableB0y
Engager
‎07-01-2020 04:40 AM

Hey thanks for the reply!

I checked and it doesn't look like forwarding is configured. I'm assuming based on the configuration that this will send all logs including internal logs to our other Splunk indexers, and I'm wondering what constraints that would have on bandwidth since some indexers are geographically separated.

I was able to fix the issue temporarily by modifying distsearch.conf on the search head to include an entry for localhost, but again, this was because the GUI wouldn't accept the hostname of the searchhead, so I'm thinking this is a poor long term solution.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-01-2020 09:41 AM

Usually in distributed environment the same node is not SH and IDX at the same time. It’s against best practices. I think that until you fix it you need to use it also a search peer in distsearch.conf or always add splunk_server=* to your searches.

Here is some instructions which could help you:

https://docs.splunk.com/Documentation/Splunk/8.0.4/InheritedDeployment/Introduction
https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

r. Ismo

Tags (1)
0 Karma
Reply
Solved! Jump to solution

CableB0y
Engager
‎07-01-2020 09:44 AM

I think you're 100% correct. I made the change in the UI originally but was prevented from adding the hostname of the SH, so I ended up making the change on the SH distsearch.conf file last week, restarted, and it seems to be working correctly now. I think we'll likely discuss moving the searchhead off the IDX, but appreciate the assistance in the interim!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...