- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Why is there a failure error when integrating splu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is there a failure error when integrating splunk SH cluster with Indexing Cluster?
We have 3 node indexer Cluster and have setup a 3 node Search Head(SH) cluster. We are trying to integrate the SH cluster with the index cluster. I'm running the following command:
./splunk edit cluster-config -mode searchhead -master_uri https://master:8089 -secret
I run this on each SH cluster member and they all give the following response:
Could not contact master. Check that the master is up, the master_uri=https://master:8089 and secret are specified correctly
I've confirmed that everything is correct. I tested with curl and telnet to make sure the master could be reached on 8089 from each SH. The search head cluster is up and running as is the indexer cluster. I've attempted to change master to fqdn and IP address.
Does anyone have any other suggestions? This seems like such an easy fix but it's been driving me crazy for 2 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey dannyard,
In your command after secret the secretkey also has to be added.
./splunk edit cluster-config -mode searchhead -master_uri https://master:8089 -secret secretkey
You can refer the doc below:
http://docs.splunk.com/Documentation/Splunk/7.0.2/DistSearch/SHCdeploymentoverview
Let me know if this works!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, yes - I accidentally left that of my post but I am adding the password after secret
As an update, I went into server.conf on each SH cluster member and changed mode=disabled to mode=searchhead. I imagine that is what the command is supposed to do but it didn't work
After doing so I was able to get the SH cluster integrated with the indexer cluster. I went back to run that command and this time it was successful, or so it said. Of course all was working so not sure if it actually did anything, but at least the command execution didn't error out. Wonder if others have had issues with this command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a post online from someone that submitted their server.conf. I noticed on our searchheads, each server.conf file had mode=disabled whereas the poster had mode=searchhead. I changed that on each of my searchheads and now I am able to query the index cluster, but I'm not getting the same amount of data the stand alone search head sees (It's looking at the same indexer cluster)
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
