Solved: Join Splunk Enterprise Stand-Alone SH to Indexer C...

JohnEGones · ‎04-27-2024

Hi Fellow Splunkers,

Perhaps I can get some different perspective, I am setting up a new standalone SH to be joined to an existing indexer cluster, but I seem to be running into an issue where when I try to point this server to the idx cluster, specifying the idx CM as the manager [manager_uri], I get an error where the SH will not be joined as a SH node.

I am referencing the DOCS here: Enable the search head - Splunk Documentation

I also note that there is an existing SH cluster that is joined to the indexer cluster.

When I edit the server.conf I get an error that the SH cannot connect to the manager node, even though I have verified and double-checked the stanzas and key values.

From what I have described, what might be the issue?

JohnEGones · ‎04-30-2024

So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else:

"You should be able to fix that problem and join the cluster by updating your server.conf as follows."

[general]
site = site1


[clustering]
multisite = true
manager_uri = https://YourClusterManagerIP:8089
mode = searchhead
pass4SymmKey = ClearText

"To configure a search head in a multisite cluster, you set a site attribute in the [general] stanza and a multisite attribute in the [clustering] stanza. All other configuration settings are identical to a search head in a single-site cluster.

Be sure to use the clear text pass4symmkey again and restart the splunk service."

View solution in original post

JohnEGones · ‎04-30-2024

Hi guys,

Thanks for responding, and apologies for the long delay.

There is an error for one of the multisite variables not being configured properly and then a bunch of subsequent errors that the server cannot reach to the CM.

I will also add that this is a HA multisite config and idk how this impacts how the needed cluster stanza variables that need to be configured.

JohnEGones · ‎04-30-2024

So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else:

"You should be able to fix that problem and join the cluster by updating your server.conf as follows."

[general]
site = site1


[clustering]
multisite = true
manager_uri = https://YourClusterManagerIP:8089
mode = searchhead
pass4SymmKey = ClearText

"To configure a search head in a multisite cluster, you set a site attribute in the [general] stanza and a multisite attribute in the [clustering] stanza. All other configuration settings are identical to a search head in a single-site cluster.

Be sure to use the clear text pass4symmkey again and restart the splunk service."

marnall · ‎04-27-2024

Unfortunately this error does not give any reason _why_ the search head cannot connect to the manager node. If the stanza is exactly correct between the working search head and the non-working search head, then it could be a network connectivity issue or a firewall issue rather than a splunk issue.

Do you see any errors in the _internal logs that may describe the reason why the search head was failing to connect?

kiran_panchavat · ‎04-27-2024

@JohnEGones

Here you go, https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Configuresearchheadwithserverconf

Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Join Splunk Enterprise Stand-Alone SH to Indexer Cluster

indexer

search head

Windows

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application