What does Splunk Indexer, Search Head and Forwarde...

deepak02 · ‎02-09-2017

Hi,

I have a Splunk (Enterprise) PROD system and I need to figure out the connectivity between the various components.

I have managed to figure out the components - 3 Search Heads + 6 indexers + many forwarders.
(Query used: | rest /services/server/info | dedup splunk_server,server_roles | table splunk_server,server_roles)

I do not have access to the conf files, limited access to REST services, and full access to _internal files.

Can you please tell me how to figure out the connectivity from the internal log files? Do each of the Splunk components log anything each time they connect?

Thanks,
Deepak

woodcock · ‎02-18-2017

Your best best bet is to use the Montoring Console features:

https://docs.splunk.com/Documentation/Splunk/6.5.2/DMC/DMCoverview

This will provide all of the capability and searches that you should need.

gcusello · ‎02-10-2017

Hi deepak02,
usually it's a Splunk best practice to send all Splunk servers internal logs to indexers so they are searchable (e.g. in the Splunk Monitoring Console you can monitor only Splunk components that send their internal logs to indexers).

In addition in the internal logs there are many useful information for your daily jobs (e.g. control of connected forwarders).

See http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/WhatSplunklogsaboutitself for all the information you can have from internal logs.

Bye.
Giuseppe

What does Splunk Indexer, Search Head and Forwarder log the first time it connects?

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials