Deployment Architecture

index creation from HF

KhalidAlharthi
Explorer

Hello members,

 

I have clustered environment and i create index on HF and data inputs for receive syslog, I create the same index inside indexers.conf in cluster master then pushed the configuration.

the index not appears in indexer cluster in CM and not searchable i tried to use btool inside each indexer and appears my indexer on loaded indexers .

 

so what the problem .

Labels (2)
0 Karma
1 Solution

batabay
Path Finder

Hi,

If you want to see your index on CM, there is at least one log collect for this index.

Can you check logs coming to this index with "tcpdump -i any port 514" on HF server.

And you must check your firewall permission with "firewall-cmd --list-all"

 

View solution in original post

0 Karma

KhalidAlharthi
Explorer

@batabay when i did your command about firewall-cmd i got the port that has syslog not inside allowed port to forward

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

basically it's enough that you have created index on cluster master and then pushed it into search peers. In HF it's more nice to have. Of course if you have some modular inputs which you are configuring with GUI,  those usually needs also indexes configure in HF too.

Have you correctly configured your HF to just forwarding events to indexers instead of storing those locally? 

Have you configured other indexes on HF which currently found from your indexer cluster and are those events go through this HF?

When you are configuring indexes on CM that didn' t means that those are seen on locally in CM. Those indexes are pushed only into peers!

Could it be that those new indexes are e.g. under master-apps and old ones are under manager-apps on your CM? You could use only one of those places not both? If I recall right manager-apps has higher priority over master-apps (the old place). So if you have any cluster peer configurations (also other than indexes.conf) then all configurations must move there or otherwise those are not working.

Again btool is your friends. You could go into any peer and try

splunk btool indexes list --debug <your index name> 

 This shows if its deployed into peer and if where it is.

If I recall right there are some options how to run this also on CM and see what its deploy to peers, but I cannot found that option now.

But anyhow just look on your CM and ensure that you are using only master-apps or manager-apps and not both. Basically you should see this also on _internal logs.

r. Ismo

0 Karma

KhalidAlharthi
Explorer

Have you correctly configured your HF to just forwarding events to indexers instead of storing those locally?

i have configuered the index from GUI and the data inputs also how could i know if it's stored locally or not.

Have you configured other indexes on HF which currently found from your indexer cluster and are those events go through this HF?

yes, there are indexer names come from HF and also found in CM indexer cluster ( they coming from HF )

When you are configuring indexes on CM that didn' t means that those are seen on locally in CM. Those indexes are pushed only into peers!

when i configuered the index from HF i did the same inside indexes.conf in manager-apps directory.

Could it be that those new indexes are e.g. under master-apps and old ones are under manager-apps on your CM? You could use only one of those places not both?

all the indexers in CM inside manager-apps .


i did splunk btool indexes list --debug <your index name> and the index is showing with the same settinges inside CM after pushing the bundle.

 

0 Karma

batabay
Path Finder

Hi,

If you want to see your index on CM, there is at least one log collect for this index.

Can you check logs coming to this index with "tcpdump -i any port 514" on HF server.

And you must check your firewall permission with "firewall-cmd --list-all"

 

0 Karma

KhalidAlharthi
Explorer

yeah i got events from tcpdump ..

 

no blocking from firewall

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...