Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Addig data input

msalghamdi
Path Finder
‎07-24-2024 02:38 AM

Hello Splunkers

i have clustered splunk 9.2.1 on prem, i have pushed an app from the CM to search head cluster and trying to configure a data input through the search head (option is not available from the CM)

whenever i add a data input i always face this error "Current instance is running in SHC mode and is not able to add new inputs"

how can i fix this ?

 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-24-2024 05:24 AM

1. CM does not manage SHC. CM manages indexer cluster. Deployer (not deployment server!) is used to push configuration to SHC

2. As @Tom_Lundie said - you don't add inputs using GUI on SHC. In fact, you shouldn't use SHC to run inputs. Even in a smaller environment you shouldn't run inputs on a standalone SH - that's what HFs are for.

0 Karma
Reply

Tom_Lundie
Contributor
‎07-24-2024 04:18 AM

Hi,

This is by design, the problem with running modular inputs on the SHC layer is that if all of the nodes in the cluster attempt to run the input you would get duplicated data and all sorts of problems. Splunk seem to be actively developing a solution for this but do not officially support at the time of writing.

That being said, a handful of apps do have official support (e.g. Splunk DB Connect). These seem to rely on the run_only_one directive in inputs.conf to ensure they only run on the captain node to prevent duplication.

Unless your TA has official support for a deployment on a SHC, I would recommend using a separate, dedicated instance for input collection such as a Heavy Forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top