- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What is the knowledge bundle deafult behavour? [Qu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the knowledge bundle deafult behavour? [Question was asked but i was incorrect in my understanding of a knowledge bundle]
Hi
I have one search head and 2 search nodes(non clustered).
I have an app installed on the search head, but i had to manually install the app to the 2 search nodes, but i get the feeling this should have happened by default with "knowledge bundle".
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Limittheknowledgebundlesize
Or do i have to specify my app specifically, if so how and where?
When i check my "search peers" i can see "Replication Status" = Successfull
Thanks in advance
Robert Lynch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your indexers are currently not clustered, you could use a Deployment Server to push the app to all of your indexers. In a clustered environment, you would use the Cluster Master to do this.
Do you currently have a Deployment Server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI
I started to us a Forwarder Management on a deployment server and it worked thanks 🙂
Robbie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for the replay.
I don't have a Deployment server nor cluster master - what one would be easier to apply, i am assuming i need to get one.
http://docs.splunk.com/Documentation/Splunk/7.2.1/Updating/Planadeployment
However i am reading that a deployment server cant be a search head also. My plan was to change things in my search-head and these changes get pushed out to my search nodes.
So for example if i am logging into my search head and I make a change to my APP [Datamodel limits.conf etc..], I want this change to be take effect in my search nodes.
So if this is not possible how does it work? So would a cluster master be easier for this?
Thanks
Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, about terminology - knowledge bundle is defined as -
What search heads send to search peers
-- When initiating a distributed search, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching across indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf. This set of knowledge objects is called the knowledge bundle.
And Replication Status is about data replication across indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I was incorrect in my understanding. - Thanks for the correction
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
