Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When configuring search head cluster data forwarding to the search peer (indexer) layer, should the server attribute in the tcpout: stanza of the output.conf specify each peer in the indexer cluster or can it point to the cluster master?

transtrophe
Communicator
‎03-28-2015 07:11 PM
 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-29-2015 06:02 AM

Outputs.conf need to point to each indexer in your instance, not the cluster master. The cluster master doesn't designate to members where to index, but where to search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

transtrophe
Communicator
‎03-29-2015 08:14 AM

OK, thanks. I will make the configuration of outputs.conf accordingly. It does seem that this mechanism adds to the management complexity of forwarding the internal search head member data to the index cluster (which is indicated as a best practice), especially if the members of an index cluster are going to grow as the index cluster needs to grow for capacity/performance reasons.

On the other hand, using shc deployers to push the configuration changes to the shc members reduces some of this administrative burden, I suppose.

It's kind of too bad that the outputs.conf can't just point to the index cluster master node and let some internal mechanisms between the index cluster master and the shc members take care of the forwarding interactions, but if that's not how it works that's just the way it is - lol.

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-29-2015 06:02 AM

Outputs.conf need to point to each indexer in your instance, not the cluster master. The cluster master doesn't designate to members where to index, but where to search.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...