Deployment Architecture
Highlighted

When configuring search head cluster data forwarding to the search peer (indexer) layer, should the server attribute in the tcpout: stanza of the output.conf specify each peer in the indexer cluster or can it point to the cluster master?

Communicator
0 Karma
Highlighted

Re: When configuring search head cluster data forwarding to the search peer (indexer) layer, should the server attribute in the tcpout: stanza of the output.conf specify each peer in the indexer cluster or can it point to the cluster master?

Super Champion

Outputs.conf need to point to each indexer in your instance, not the cluster master. The cluster master doesn't designate to members where to index, but where to search.

View solution in original post

0 Karma
Highlighted

Re: When configuring search head cluster data forwarding to the search peer (indexer) layer, should the server attribute in the tcpout: stanza of the output.conf specify each peer in the indexer cluster or can it point to the cluster master?

Communicator

OK, thanks. I will make the configuration of outputs.conf accordingly. It does seem that this mechanism adds to the management complexity of forwarding the internal search head member data to the index cluster (which is indicated as a best practice), especially if the members of an index cluster are going to grow as the index cluster needs to grow for capacity/performance reasons.

On the other hand, using shc deployers to push the configuration changes to the shc members reduces some of this administrative burden, I suppose.

It's kind of too bad that the outputs.conf can't just point to the index cluster master node and let some internal mechanisms between the index cluster master and the shc members take care of the forwarding interactions, but if that's not how it works that's just the way it is - lol.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.