Deployment Architecture

When configuring search head cluster data forwarding to the search peer (indexer) layer, should the server attribute in the tcpout: stanza of the output.conf specify each peer in the indexer cluster or can it point to the cluster master?

transtrophe
Communicator
0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Outputs.conf need to point to each indexer in your instance, not the cluster master. The cluster master doesn't designate to members where to index, but where to search.

View solution in original post

0 Karma

transtrophe
Communicator

OK, thanks. I will make the configuration of outputs.conf accordingly. It does seem that this mechanism adds to the management complexity of forwarding the internal search head member data to the index cluster (which is indicated as a best practice), especially if the members of an index cluster are going to grow as the index cluster needs to grow for capacity/performance reasons.

On the other hand, using shc deployers to push the configuration changes to the shc members reduces some of this administrative burden, I suppose.

It's kind of too bad that the outputs.conf can't just point to the index cluster master node and let some internal mechanisms between the index cluster master and the shc members take care of the forwarding interactions, but if that's not how it works that's just the way it is - lol.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Outputs.conf need to point to each indexer in your instance, not the cluster master. The cluster master doesn't designate to members where to index, but where to search.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!