Deployment Architecture

search header cluster

wangyu
Loves-to-Learn Lots

I deployed the search header cluster and also deployed the indexer cluster, and merged the search header cluster and the indexer cluster. After downloading the sample data and uploading it to the indexer, all members of the indexer cluster can search for the uploaded data. When searching for members in the header cluster, there are two that cannot be searched for the uploaded data, and one that can be searched. "Unable to distribute to peer named 192.168.44.159 at uri=192.168.44.159:8089 using the uri scheme=https because peer has status=Down. Verify uri scheme, connectivity to the search peer, that the search peer is up, and that an equivalent level of system resources are available. See the Troubleshooting Manual for more information."

Labels (1)
0 Karma

sigma
Path Finder

Hi,

Did you check sslVersions in authentication.conf and server.conf?
Check that the SSL version is consistent among cluster members.

Regards.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @wangyu ,

did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Clusterdeploymentoverview and https://docs.splunk.com/Documentation/Splunk/9.2.1/DistSearch/SHCdeploymentoverview ?

I suppose that you checked the connections between the members al the required ports:

  • IDX replication: by default 9100,
  • SHC replication 9200,
  • connection between IDXs and Cluster Manager 8089,
  • connection between SHs and Deployer 8089,
  • connection between SHs and IDXs 8089.

Then, how many SHs do you have in your SHC? they must be at least 3.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Have you done this on all SHC members?

Configure each search head cluster member as a search head on the indexer cluster. Use the CLI splunk edit cluster-config command. For example:

https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/SHCandindexercluster

One correction for those default ports. There is no default ports (or alt least earlier haven't been) for IDX replication or SHC replication. There are some commonly used ports, those are not default, you must always define those manually in CLI, conf files or in GUI!

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...