I'm new to setting up clusters and I assumed that the splunk instances (deployment, deployer, seach head, cluster master, etc) would naturally forward their own splunk logs ($SPLUNK_HOME/var/log/splunk/*).
Are they and I am missing them?
host=cluster-master index=* no results...
Is there an app, best practice, or some documentation regarding this?
I can't find what I am looking for in the monitoring console, which is:
Failed to register with cluster master
reason: failed method=POST
status_line="Internal Server Error"
Everything seems to be working fine...
Have you set up outputs.conf on your components? Splunk requires outputs.conf to be configured -- same as the universal forwarders -- before these components will send their logs to your index cluster.
You can find more information in this documentation link:
Short answer: yes.
Long answer: (I didn't configure this bit) On the cluster master, in /opt/splunk/etc/apps/clusterforwarderoutputs/local/outputs.conf it has:
defaultGroup = primary_indexers
maxQueueSize = 7MB
useACK = true
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
server = indxer01.fqdn:9997, indxer02.fqdn:9997
autoLB = true
I can see the instances (5) in the CM under overview & resources, but nowhere else.
but I also found the following in another outputs.conf, which I am guessing is the cause of the problem:
index = false
forwardedindex.filter.disable = true
indexAndForward = false