Solved: When configuring search head cluster data forwardi...

transtrophe · ‎03-28-2015

esix_splunk · ‎03-29-2015

Outputs.conf need to point to each indexer in your instance, not the cluster master. The cluster master doesn't designate to members where to index, but where to search.

View solution in original post

transtrophe · ‎03-29-2015

OK, thanks. I will make the configuration of outputs.conf accordingly. It does seem that this mechanism adds to the management complexity of forwarding the internal search head member data to the index cluster (which is indicated as a best practice), especially if the members of an index cluster are going to grow as the index cluster needs to grow for capacity/performance reasons.

On the other hand, using shc deployers to push the configuration changes to the shc members reduces some of this administrative burden, I suppose.

It's kind of too bad that the outputs.conf can't just point to the index cluster master node and let some internal mechanisms between the index cluster master and the shc members take care of the forwarding interactions, but if that's not how it works that's just the way it is - lol.

esix_splunk · ‎03-29-2015

Outputs.conf need to point to each indexer in your instance, not the cluster master. The cluster master doesn't designate to members where to index, but where to search.

When configuring search head cluster data forwarding to the search peer (indexer) layer, should the server attribute in the tcpout: stanza of the output.conf specify each peer in the indexer cluster or can it point to the cluster master?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM