Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What is the knowledge bundle deafult behavour? [Question was asked but i was incorrect in my understanding of a knowledge bundle]

robertlynch2020
Influencer
‎11-21-2018 07:56 AM

Hi

I have one search head and 2 search nodes(non clustered).

I have an app installed on the search head, but i had to manually install the app to the 2 search nodes, but i get the feeling this should have happened by default with "knowledge bundle".

http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Limittheknowledgebundlesize

Or do i have to specify my app specifically, if so how and where?
When i check my "search peers" i can see "Replication Status" = Successfull

Thanks in advance
Robert Lynch

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎11-21-2018 08:46 AM

If your indexers are currently not clustered, you could use a Deployment Server to push the app to all of your indexers. In a clustered environment, you would use the Cluster Master to do this.

Do you currently have a Deployment Server?

Reply

robertlynch2020
Influencer
‎11-24-2018 02:56 AM

HI

I started to us a Forwarder Management on a deployment server and it worked thanks 🙂

Robbie

0 Karma
Reply

robertlynch2020
Influencer
‎11-22-2018 07:08 AM

Hi

Thanks for the replay.
I don't have a Deployment server nor cluster master - what one would be easier to apply, i am assuming i need to get one.

http://docs.splunk.com/Documentation/Splunk/7.2.1/Updating/Planadeployment

However i am reading that a deployment server cant be a search head also. My plan was to change things in my search-head and these changes get pushed out to my search nodes.

So for example if i am logging into my search head and I make a change to my APP [Datamodel limits.conf etc..], I want this change to be take effect in my search nodes.

So if this is not possible how does it work? So would a cluster master be easier for this?

Thanks
Rob

0 Karma
Reply

ddrillic
Ultra Champion
‎11-21-2018 08:37 AM

First, about terminology - knowledge bundle is defined as -

What search heads send to search peers

-- When initiating a distributed search, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching across indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf. This set of knowledge objects is called the knowledge bundle.

And Replication Status is about data replication across indexers.

Reply

robertlynch2020
Influencer
‎11-23-2018 07:29 AM

Thanks. I was incorrect in my understanding. - Thanks for the correction

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...