Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How can I monitor Splunk instances (deployment...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I monitor Splunk instances (deployment, deployer, seach head, cluster master, etc.)?
I'm new to setting up clusters and I assumed that the splunk instances (deployment, deployer, seach head, cluster master, etc) would naturally forward their own splunk logs ($SPLUNK_HOME/var/log/splunk/*).
Are they and I am missing them? host=cluster-master index=* no results...
Is there an app, best practice, or some documentation regarding this?
I can't find what I am looking for in the monitoring console, which is:
Failed to register with cluster master
reason: failed method=POST
expected_response_code=2xx
actual_response_code=500
status_line="Internal Server Error"
Everything seems to be working fine...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you set up outputs.conf on your components? Splunk requires outputs.conf to be configured -- same as the universal forwarders -- before these components will send their logs to your index cluster.
You can find more information in this documentation link:
https://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Forwardsearchheaddata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Short answer: yes.
Long answer: (I didn't configure this bit) On the cluster master, in /opt/splunk/etc/apps/cluster_forwarder_outputs/local/outputs.conf it has:
[tcpout]
defaultGroup = primary_indexers
maxQueueSize = 7MB
useACK = true
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
[tcpout:primary_indexers]
server = indxer01.fqdn:9997, indxer02.fqdn:9997
autoLB = true
I can see the instances (5) in the CM under overview & resources, but nowhere else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but I also found the following in another outputs.conf, which I am guessing is the cause of the problem:
[indexAndForward]
index = false
[tcpout]
forwardedindex.filter.disable = true
indexAndForward = false
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
