Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

View Indexer config with only access to the cluster master & search head GUI

rusty009
Path Finder
‎09-02-2019 04:04 AM

I have administrator access to the GUI of the search head cluster master and search head, but not the indexers. I am troubleshooting why data isn't coming into Splunk and need to see the following through the GUI of either the search head or the cluster master,
- indexes configured on each indexer
- inputs configured on each indexer

How can I do this, I can't seem to find an easy way to do so. I am running Splunk 6.6.2. I know this information is held within the configuration bundle on the cluster master , but I can't view this form the GUI, I can only deploy it from the cluster master console.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-02-2019 07:25 AM

HBi rusty009,
let me understand:

  • you have access to web Gui on Search Heads,
  • when you speak of Search Head Cluster Master, are you speaking of the Deployer (controller of Search Head Cluster) or of the Indexers Master Node?
  • you haven't access to the Indexers web GUi (usually it's disabled on production systems!),
  • have you access to the CLI on Indexers?

Anyway, if you have access to Indexers CLI, you can see the configuration files (indexes.conf) so you don't have problems.
If instead you don't have access to the CLI on Indexers, you could use from the search web GUI the command | rest /services/data/indexes but I don't think that in this way you can troubleshoot data ingestion.

About inputs, they aren't on Indexers so you have to debug them in a different way

Anyway, you should share more information and have a more structured approach:

  • how do you ingest data? are you using Universal Forwarders and or syslogs?
  • are you using any Technical Add-On to ingest and/or parse data?
  • which data do you want to ingest?
  • have you a Deployment Server? what is your architecture?

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-02-2019 07:25 AM

HBi rusty009,
let me understand:

  • you have access to web Gui on Search Heads,
  • when you speak of Search Head Cluster Master, are you speaking of the Deployer (controller of Search Head Cluster) or of the Indexers Master Node?
  • you haven't access to the Indexers web GUi (usually it's disabled on production systems!),
  • have you access to the CLI on Indexers?

Anyway, if you have access to Indexers CLI, you can see the configuration files (indexes.conf) so you don't have problems.
If instead you don't have access to the CLI on Indexers, you could use from the search web GUI the command | rest /services/data/indexes but I don't think that in this way you can troubleshoot data ingestion.

About inputs, they aren't on Indexers so you have to debug them in a different way

Anyway, you should share more information and have a more structured approach:

  • how do you ingest data? are you using Universal Forwarders and or syslogs?
  • are you using any Technical Add-On to ingest and/or parse data?
  • which data do you want to ingest?
  • have you a Deployment Server? what is your architecture?

Bye.
Giuseppe

Reply
Solved! Jump to solution

rusty009
Path Finder
‎09-02-2019 08:14 AM

Data is being sent via syslog to the indexers. No TA is beging used, neither is there a deployment server. We don't have a clustered search head architecture, just a clustered index, so the cluster master is just to cluster the indexers.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-02-2019 08:30 AM

Ok.
I think you have also a Load Balancer to distribute syslogs between indexer, if not insert it because otherwise you have a single point of failure and risk to lose syslogs (you could use also DNS to distribute syslogs).

Do you receive any syslogs or not?
If not, check the path between source and Indexer.
If yes, see the format of the received logs, maybe there's an error in parsing (e.g. timestamp).

Anyway, if you haven't w web GUi to Indexers, how do you configure syslog receiving? the only way is to access inputs.conf on Indexers, can you do this?
if yes, you can use btool command (for more information see https://docs.splunk.com/Documentation/Splunk/7.3.1/Troubleshooting/Usebtooltotroubleshootconfigurati... ) to have the complete list of all inputs and then see the exact inputs.conf file:

/opt/splunk/bin/splunk btool cmd inputs list --debug > my_inputs.txt

In this way you have all the active inputs on your servers.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

rusty009
Path Finder
‎09-02-2019 09:05 AM

I know I need to look at the input file on the indexers, that was my original question ! I don't have access to the indexers, I need to look at the inputs file from the gui of either the search head or cluster master.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2019 01:04 AM

from your SHs you can use REST command

| rest /services/data/inputs splunk_server=indexer1
| rest /services/data/indexes splunk_server=indexer1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

rusty009
Path Finder
‎09-05-2019 06:13 AM

fantastic, thank you ! Is there anyway i can pull details of a specific input ?

0 Karma
Reply
Solved! Jump to solution

rusty009
Path Finder
‎09-05-2019 06:15 AM

yes there is, just add an all at the end, so
| rest /services/data/inputs/all splunk_server=indexer1

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...