I'm putting together a large environment, so I'm hoping to get this sorted out before I dig myself into a hole.
I have multiple indexers (4 currently, more in the future), two search heads, and many forwarders.
One of those indexers functions as a deployment server.
The forwarders are all configured for auto load balancing between the four indexers (the list is maintained via DNS. Several A records with the same name and multiple IPs.)
As we bring in new application logs into the environment (and it is happening quite rapidly), I'm finding it isn't that simple to keep the props.conf, transforms.conf, etc all properly sycned up between the indexers. Same goes for indexes.conf.
What is the best/preferred way to maintain a uniform configuration between multiple indexers?
Also, I know that index-time field extractions must be on the indexers. That's obvious. For search-time extractions however - do those have to be on the search heads, or will the indexers report those fields back up to the search head while they perform the search?
I have a few thoughts/ideas. Not sure if they are good ones though.
- Define one of the indexers to be the "primary" indexer - the one where all the configs originate from. Set up an rsync job of $SPLUNK_HOME/etc from that one to all the other indexers.
- Have all the other indexers connect to the deployment server (which is also an indexer). Symlink the relevant *.conf files from one indexer over into a directory in $SPLUNK_HOME/etc/deployment-apps and have that be pushed to the other indexers.
Any better plans?
