Deployment Architecture

distsearch.conf documentation confusion

omeniasty
New Member

Hello Guys,

I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs.

Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one.

Splunk/8.1.2/DistSearch/Configuredistributedsearch - here states:

"Add the search peers

To connect the search peers:

1. On the search head, create or edit a distsearch.conf file in $SPLUNK_HOME/etc/system/local.

2. Add the search peers to the servers setting under the [distributedSearch] stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example:

[distributedSearch]
servers = https://192.168.1.1:8089,https://192.168.1.2:8089

Note: You must precede the host name or IP address with the URI scheme, either "http" or "https"."

 

Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states:

"You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

[distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

[distributedSearch:NYC]
# This stanza lists the set of search peers in New York.
default = false
servers = 192.168.1.1:8089, 192.168.1.2:8089

[distributedSearch:SF]
# This stanza lists the set of search peers in San Francisco.
default = false
servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

 

In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here.

 

Thanks in advance 

Labels (3)
0 Karma

omeniasty
New Member

Just worth adding that documentation for "adding search peers" through CLI, Splunk Web says that http/https is required.

Even Splunk Web console when states this info "Specify the search peer as servername:mgmt_port or URI:mgmt_port. You must prefix the URI with its scheme. For example: 'https://sp1.example.com:8089'."

Does it mean that both versions are acceptable or Splunk/8.1.2/DistSearch/Distributedsearchgroups page is wrong?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...