Deployment Architecture

Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

princemanto2580
Path Finder

Hello Splunker,

I prepared one lab with below instance to see real-time Single Site Index Clustering. But after configure I can only see _audit and _internal indexes from Cluster Master. Where are the rest of default indexes like main and etc?

1 Search Head with Deployment Server and License Master
1 Cluster Master
2 Indexer for Cluster Peer

I reviewed this question from https://answers.splunk.com/answers/143987/cluster-master-does-not-display-custom-or-main-index-only-... .

Note that, all the configuration is been done from CLI command not from apps.

Can anyone suggest me what can be a reason.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi princemanto2580,
until you don't have acquired logs in an Index, you don't see it in Master Node dashboards.
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi princemanto2580,
until you don't have acquired logs in an Index, you don't see it in Master Node dashboards.
Bye.
Giuseppe

0 Karma

princemanto2580
Path Finder

Absolutely correct. Thanks for the details.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Also don't forget to set the setting per-index within the indexes.conf file of:
repFactor = auto

When you do introduce new indexes as per the documentation...

0 Karma

princemanto2580
Path Finder

I tried today for additional index creation from master-app but it is not reflecting at cluster peer indexes. Although, configuration pushed and i can able to see at slave-apps. Any idea, what I am missing ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

check the path you used.
Bye.
Giuseppe

0 Karma

princemanto2580
Path Finder

which path you are refereeing ?

[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 500
coldToFrozenDir = /opt/frozen/test
thawedPath = $SPLUNK_DB/test/thaweddb
maxDataSize = 200
repFactor = auto

0 Karma

gcusello
SplunkTrust
SplunkTrust

correct me if I'm wrong:

  • you created the test index in Master Node,
  • you deployed Bundle;
  • you see test index folder in $SPLUNK_DB;
  • you ingested logs in test index;
  • you don't see test index in Master Node dashboard?

can you share a screenshot of Master Node Index Replication dashboard?

Bye.
Giuseppe

0 Karma

princemanto2580
Path Finder

Hi Giuseppe,

  • I created the test index in Master Node (correct)
  • I deployed Bundle; (correct)
  • I see test index folder in $SPLUNK_DB; (No, I can not see yet)
  • I ingested logs in test index; (not yet, let me see the index first then data ingestion will be carried out)
  • I don't see test index in Master Node dashboard. (As you clarified, no data in index mean you can not see the index at Master node dashboard)
0 Karma

gjanders
SplunkTrust
SplunkTrust

The index will not appear in the cluster master until it contains data as per Giuseppe previous post.

0 Karma

princemanto2580
Path Finder

As per details from Giuseppe, indexes will not seen from Cluster-Master until data ingested on that index. But my question is, will that index can been seen from Cluster-Peers.

If the answer is simply NO, then it is fine for me. But if the answer is YES, then it is a problem for me.

Hope you can understand my question.

0 Karma

gjanders
SplunkTrust
SplunkTrust

To confirm the index is configured on the peer you could run:
splunk btool indexes list --debug
(on the CLI of the peer)

Or look within the GUI of the individual indexer if that is turned on, does that help?

0 Karma

princemanto2580
Path Finder

Hi garethatiag,

I didn't run /opt/splunk/bin/splunk btool indexes list --debug on cluster peer. But from GUI, I didn't see the index "test" on each cluster peer.

Which means, the configuration is wrong !

0 Karma

gjanders
SplunkTrust
SplunkTrust

Interesting, I see 112 configured indexes on a peer and 88 of them are clustered/have data actively according to the master.
So it does sound like something may be incorrectly configured...

0 Karma

princemanto2580
Path Finder

Can you confirm, in your configuration indexes.conf is located under master-apps/_cluster/local/ ?

Or you have put your indexes.conf under another app within master-app/your_app/local/ ?

0 Karma

gjanders
SplunkTrust
SplunkTrust

Most of my index configuration is in the above location on the master.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...