Deployment Architecture

View Indexer config with only access to the cluster master & search head GUI

rusty009
Path Finder

I have administrator access to the GUI of the search head cluster master and search head, but not the indexers. I am troubleshooting why data isn't coming into Splunk and need to see the following through the GUI of either the search head or the cluster master,
- indexes configured on each indexer
- inputs configured on each indexer

How can I do this, I can't seem to find an easy way to do so. I am running Splunk 6.6.2. I know this information is held within the configuration bundle on the cluster master , but I can't view this form the GUI, I can only deploy it from the cluster master console.

Thanks!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

HBi rusty009,
let me understand:

  • you have access to web Gui on Search Heads,
  • when you speak of Search Head Cluster Master, are you speaking of the Deployer (controller of Search Head Cluster) or of the Indexers Master Node?
  • you haven't access to the Indexers web GUi (usually it's disabled on production systems!),
  • have you access to the CLI on Indexers?

Anyway, if you have access to Indexers CLI, you can see the configuration files (indexes.conf) so you don't have problems.
If instead you don't have access to the CLI on Indexers, you could use from the search web GUI the command | rest /services/data/indexes but I don't think that in this way you can troubleshoot data ingestion.

About inputs, they aren't on Indexers so you have to debug them in a different way

Anyway, you should share more information and have a more structured approach:

  • how do you ingest data? are you using Universal Forwarders and or syslogs?
  • are you using any Technical Add-On to ingest and/or parse data?
  • which data do you want to ingest?
  • have you a Deployment Server? what is your architecture?

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

HBi rusty009,
let me understand:

  • you have access to web Gui on Search Heads,
  • when you speak of Search Head Cluster Master, are you speaking of the Deployer (controller of Search Head Cluster) or of the Indexers Master Node?
  • you haven't access to the Indexers web GUi (usually it's disabled on production systems!),
  • have you access to the CLI on Indexers?

Anyway, if you have access to Indexers CLI, you can see the configuration files (indexes.conf) so you don't have problems.
If instead you don't have access to the CLI on Indexers, you could use from the search web GUI the command | rest /services/data/indexes but I don't think that in this way you can troubleshoot data ingestion.

About inputs, they aren't on Indexers so you have to debug them in a different way

Anyway, you should share more information and have a more structured approach:

  • how do you ingest data? are you using Universal Forwarders and or syslogs?
  • are you using any Technical Add-On to ingest and/or parse data?
  • which data do you want to ingest?
  • have you a Deployment Server? what is your architecture?

Bye.
Giuseppe

rusty009
Path Finder

Data is being sent via syslog to the indexers. No TA is beging used, neither is there a deployment server. We don't have a clustered search head architecture, just a clustered index, so the cluster master is just to cluster the indexers.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Ok.
I think you have also a Load Balancer to distribute syslogs between indexer, if not insert it because otherwise you have a single point of failure and risk to lose syslogs (you could use also DNS to distribute syslogs).

Do you receive any syslogs or not?
If not, check the path between source and Indexer.
If yes, see the format of the received logs, maybe there's an error in parsing (e.g. timestamp).

Anyway, if you haven't w web GUi to Indexers, how do you configure syslog receiving? the only way is to access inputs.conf on Indexers, can you do this?
if yes, you can use btool command (for more information see https://docs.splunk.com/Documentation/Splunk/7.3.1/Troubleshooting/Usebtooltotroubleshootconfigurati... ) to have the complete list of all inputs and then see the exact inputs.conf file:

/opt/splunk/bin/splunk btool cmd inputs list --debug > my_inputs.txt

In this way you have all the active inputs on your servers.

Bye.
Giuseppe

0 Karma

rusty009
Path Finder

I know I need to look at the input file on the indexers, that was my original question ! I don't have access to the indexers, I need to look at the inputs file from the gui of either the search head or cluster master.

0 Karma

gcusello
SplunkTrust
SplunkTrust

from your SHs you can use REST command

| rest /services/data/inputs splunk_server=indexer1
| rest /services/data/indexes splunk_server=indexer1

Bye.
Giuseppe

0 Karma

rusty009
Path Finder

fantastic, thank you ! Is there anyway i can pull details of a specific input ?

0 Karma

rusty009
Path Finder

yes there is, just add an all at the end, so
| rest /services/data/inputs/all splunk_server=indexer1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...