Deployment Architecture

What's the proper way to add an indexer to an indexer cluster?

ddrillic
Ultra Champion

We are about to add an indexer to an index cluster version 6.5.2. How do we it including the DMC part?

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Does your existing indexer have data on it? Is it a new indexer your adding to the cluster?

You need to add this new indexer as a search peer to the search head, master node and the DMC. When adding to the DMC, you should classify this as an indexer and not a search head

Lastly, you will need to modify outputs.conf on your forwarders to add this additional indexer (search peer). The best approach is to create an outputs app on the deployment server, this way you can edit your outputs.conf in one spot and send it to all of your hosts.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Configurethepeerindexes

View solution in original post

traxxasbreaker
Communicator

You will need to setup a clustering stanza in the indexer's server.conf file to use the same pass4SymmKey to use the same value as the cluster master. Note that these values are hashed, and if $SPLUNK_HOME/etc/auth/splunk.secret does not match with your cluster master, you will need to put the plain text value in on your indexer and let Splunk hash it when it starts up.

Additionally, you'll need to set the master_uri setting in your clustering stanza to point to the cluster master and make sure it's set to be a slave. Details on the indexer configuration can be found here. If your environment was first built by professional services, look around in the etc/apps directory on your indexers for an app that's called something like <org>_indexer_base which should have a lot of these settings already in place.

You'll also need to set your indexers to point to the license master (also in server.conf) and to share all the inputs and index time settings of your other indexers. In many environments this is handled by apps pushed from the cluster master. If the indexers are Linux, also pay close attention to ulimits and THP at the time you are building your indexers.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Does your existing indexer have data on it? Is it a new indexer your adding to the cluster?

You need to add this new indexer as a search peer to the search head, master node and the DMC. When adding to the DMC, you should classify this as an indexer and not a search head

Lastly, you will need to modify outputs.conf on your forwarders to add this additional indexer (search peer). The best approach is to create an outputs app on the deployment server, this way you can edit your outputs.conf in one spot and send it to all of your hosts.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Configurethepeerindexes

ddrillic
Ultra Champion

-- Does your existing indexer have data on it? Is it a new indexer your adding to the cluster?
No data yet - it's a new indexer...

Perfect @skoelpin. Let me go please through the documentation.

0 Karma

traxxasbreaker
Communicator

Is the question how to add it to the actual indexer cluster by connecting it to the cluster master, or how to make it show up as part of the indexer cluster on the DMC after it's already been added to the cluster?

0 Karma

ddrillic
Ultra Champion

-- Is the question how to add it to the actual indexer cluster by connecting it to the cluster master,..
Right - that's it.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...