Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Addig data input

msalghamdi
Path Finder
‎07-24-2024 02:38 AM

Hello Splunkers

i have clustered splunk 9.2.1 on prem, i have pushed an app from the CM to search head cluster and trying to configure a data input through the search head (option is not available from the CM)

whenever i add a data input i always face this error "Current instance is running in SHC mode and is not able to add new inputs"

how can i fix this ?

 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-24-2024 05:24 AM

1. CM does not manage SHC. CM manages indexer cluster. Deployer (not deployment server!) is used to push configuration to SHC

2. As @Tom_Lundie said - you don't add inputs using GUI on SHC. In fact, you shouldn't use SHC to run inputs. Even in a smaller environment you shouldn't run inputs on a standalone SH - that's what HFs are for.

0 Karma
Reply

Tom_Lundie
Contributor
‎07-24-2024 04:18 AM

Hi,

This is by design, the problem with running modular inputs on the SHC layer is that if all of the nodes in the cluster attempt to run the input you would get duplicated data and all sorts of problems. Splunk seem to be actively developing a solution for this but do not officially support at the time of writing.

That being said, a handful of apps do have official support (e.g. Splunk DB Connect). These seem to rely on the run_only_one directive in inputs.conf to ensure they only run on the captain node to prevent duplication.

Unless your TA has official support for a deployment on a SHC, I would recommend using a separate, dedicated instance for input collection such as a Heavy Forwarder.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...