Installation

Join Splunk Enterprise Stand-Alone SH to Indexer Cluster

JohnEGones
Communicator

Hi Fellow Splunkers,

Perhaps I can get some different perspective, I am setting up a new standalone SH to be joined to an existing indexer cluster, but I seem to be running into an issue where when I try to point this server to the idx cluster, specifying the idx CM as the manager [manager_uri], I get an error where the SH will not be joined as a SH node.

I am referencing the DOCS here: Enable the search head - Splunk Documentation

I also note that there is an existing SH cluster that is joined to the indexer cluster.

When I edit the server.conf I get an error that the SH cannot connect to the manager node, even though I have verified and double-checked the stanzas and key values. 

From what I have described, what might be the issue?

 

Labels (3)
Tags (3)
0 Karma
1 Solution

JohnEGones
Communicator

So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else:

"You should be able to fix that problem and join the cluster by updating your server.conf as follows."

 

[general]
site = site1


[clustering]
multisite = true
manager_uri = https://YourClusterManagerIP:8089
mode = searchhead
pass4SymmKey = ClearText

 

"To configure a search head in a multisite cluster, you set a site attribute in the [general] stanza and a multisite attribute in the [clustering] stanza. All other configuration settings are identical to a search head in a single-site cluster.

Be sure to use the clear text pass4symmkey again and restart the splunk service."

View solution in original post

0 Karma

JohnEGones
Communicator

Hi guys,

Thanks for responding, and apologies for the long delay.

There is an error for one of the multisite variables not being configured properly and then a bunch of subsequent errors that the server cannot reach to the CM.

I will also add that this is a HA multisite config and idk how this impacts how the needed cluster stanza variables that need to be configured.

0 Karma

JohnEGones
Communicator

So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else:

"You should be able to fix that problem and join the cluster by updating your server.conf as follows."

 

[general]
site = site1


[clustering]
multisite = true
manager_uri = https://YourClusterManagerIP:8089
mode = searchhead
pass4SymmKey = ClearText

 

"To configure a search head in a multisite cluster, you set a site attribute in the [general] stanza and a multisite attribute in the [clustering] stanza. All other configuration settings are identical to a search head in a single-site cluster.

Be sure to use the clear text pass4symmkey again and restart the splunk service."

0 Karma

marnall
Motivator

Unfortunately this error does not give any reason _why_ the search head cannot connect to the manager node. If the stanza is exactly correct between the working search head and the non-working search head, then it could be a network connectivity issue or a firewall issue rather than a splunk issue.

Do you see any errors in the _internal logs that may describe the reason why the search head was failing to connect?

kiran_panchavat
Contributor

@JohnEGones 

Here you go, https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Configuresearchheadwithserverconf

Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...