Deployment Architecture
Highlighted

Which instance or configuration file in my Splunk environment contains cluster master details?

Motivator

Currently in our environment, we have 5 indexer instances, four search heads, a scheduled search Job instance, 2 Heavy Forwarders, and a deployment manager/ License master running on the same instance?

Kindly let me know in which instance/configuration file can I find out the cluster-master details.

0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

Legend

If you go in one of the clustered indexers and see at "Settings - Indexers Clustering" you can see the Master's URL.
After, you can see configurated peers in Master Node at "Settings - Indexers Clustering".
Bye.
Giuseppe

Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

Motivator

Thanks, Giuseppe, I had tried login into one of the search head --> settings --> Distributed Environment --> clustering. I could not see any configuration related to clustering, I could see Enable Clustering option. Correct if this is not the correct place to look into. Similarly under settings --> Distributed Environment --> Distributed search --> search peers --> I could see all the indexer are listed. Kindly let me is any other way I can find the master node details.

0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

Legend

If you are speaking about Indexers Cluster, to find the Master Node you have to see in one of the indexers.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

SplunkTrust
SplunkTrust

You can find the details from server.conf

For master, you will have the below entries under [clustering] stanza

[clustering]
mode = master --> tells the master
replication_factor = 4
search_factor = 3
pass4SymmKey = whatever
cluster_label = cluster1

and for peers

[clustering]
master_uri = https://<ip>:8089 -->gives you master URI
mode = slave  -->tells its's a peer
pass4SymmKey = whatever

You can find the license master details also from server.conf under [license] stanza

Hope this helps

0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

Motivator

Thanks Renjith, I have checked the server. Conf file in the indexers under the following paths /opt/splunk/etc/apps/xxxx/default/server.conf and I could see only below stanza

[httpServer]
maxThreads = 1000

Similarly under this path /opt/splunk/etc/system/local - I could see this stanza

[sslConfig]
sslKeysfilePassword = xxxxxxxxxx

[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free

[license]
master_uri = https://:8089 -->
[general]
pass4SymmKey = xxxxxxxx
serverName = xxxxxxxxxx

incase of License /deployment master instance under this path
/opt/splunk/etc/shcluster/apps/XXX-ADMIN-all_indexers/default/server.conf

[httpServer]
maxThreads = 1000

/opt/splunk/etc/shcluster/apps/XXX-ADMIN-hvy_forwarders/default/server.conf

[queue]
maxSize = 200MB

/opt/splunk/etc/shcluster/apps/XXX-ADMIN-searchheadcluster/default/server.conf

[license]
master_uri = https://:8089 --> 

In all the above mentioned path I could not see the stanza called clustering, so kindly let me is this is the correct path to validate recoding the master node details.

Thanks in Advance.

0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

SplunkTrust
SplunkTrust

Check with btool in all server configuration.

 ./splunk cmd btool server list --debug clustering

If it returns only default values from /etc/system/default/server.conf, then most likely your environment is not clustered but a distributed environment

http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Keydifferences

Similarly run this for finding out the search head clustering details from a search head

 ./splunk cmd btool server list --debug shclustering
0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

Motivator

thanks Ranjith, after executing the above command in all the indexer, It returned only the default values from /etc/system/default/server.conf, from this it was clear that ours is Distributed Splunk Environment not a clustered.
Similarly when I ran the command on the search heads (Four search heads / one Scheduled Job search severs) got the same default result. But as per the architecture diagram, I could see two search heads are connected to file sharing pools where it share the information about the search's. Kindly guide why its not showing the clustered results or whether its clustered one but currently its not working as clustered.
thanks in Advance.

0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

SplunkTrust
SplunkTrust

Which version of splunk you are using? File share was used in 5.x search head pooling and it's deprecated and changed to search head clustering in 6.x

0 Karma
Highlighted

Re: Which instance or configuration file in my Splunk environment contains cluster master details?

Motivator

thank Renjith, We are using the 6.0.3 and 6.2.1 version in our environment. As per the architecture diagram, the two searched heads are clustered along with this file sharing server. I had ran the below command to identify whether the two search head are in clustered or not, but I did not get any output after executing the CLI.
./splunk cmd btool server list --debug shclustering

I had even stopped one of the search head to test for clustering behavior, but it was not getting switched to another server. It was still pointing to the same server, I had verified this by going to setting --> system details --> General setttings --> splunk server name.

Kindly guide me to fix this problem. thanks in advance

0 Karma