Knowledge Management

Clustered Indexers not shown within the DMC despite adding the Master Node as search peer in DMC

damode
Motivator

As per the documentation for adding search peers in DMC which states Do not add clustered indexers, but be sure to add clustered search heads. If you are monitoring an indexer cluster and you are hosting the monitoring console on an instance other than the cluster master, you must add the cluster master(CM) as a search peer.
I have added C.M as a search peer and haven't added any clustered indexers as search peer. However, still I am unable to see Indexers on the overview page of the DMC or under General settings page. All it shows that the Master Node has two peers.

Is this an expected behaviour ?

Tags (1)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @damode,

Is your MC pointed to Cluster Master to search data from Indexer Cluster Like this https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Enablethesearchhead#Enable_the_search_hea... ?

Docs didn't provide this information and it assumes that if you are running Indexer Cluster and configuring MC on other than Cluster Master then your MC server already configured as Search Head and pointed to Cluster Master to search the data from Indexer Cluster.

View solution in original post

0 Karma

tiagofbmm
Influencer

If your Monitoring Console is not a SearchHead of the Indexer Cluster, you'll need to add the indexers to the MC as search peers anyway. If MC is a search head of the Indexer Cluster, it will automatically be searching the indexers and you don't need to add them

0 Karma

damode
Motivator

But the documentation is so confusing. It doesn't clearly say that apart from integrating the SHC
to search the indexer cluster, in order to be able to view the clusters in the DMC, the DMC also needs to be added enabled as a Search Head on the Indexer Cluster. There is no mention in the DMC documentation about enabling it as a search head within the Indexer Clustering setting.

In this doc, https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Enablethesearchhead, it only says enable a search head to manage searches across the Indexer. How is one supposed to know the S.H mentioned here is applicable for a DMC too.

0 Karma

tiagofbmm
Influencer

I'm not sure how could you have that information without having the indexers as search peers of the MC to be honest

0 Karma

damode
Motivator

Yes, that was my view too but the docs clearly say not to add any clustered indexers. What they failed to mention was that the DMC has to be added as a search head within the indexer clustering setting.

0 Karma

harsmarvania57
Ultra Champion

Hi @damode,

Is your MC pointed to Cluster Master to search data from Indexer Cluster Like this https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Enablethesearchhead#Enable_the_search_hea... ?

Docs didn't provide this information and it assumes that if you are running Indexer Cluster and configuring MC on other than Cluster Master then your MC server already configured as Search Head and pointed to Cluster Master to search the data from Indexer Cluster.

0 Karma

damode
Motivator

if I have a search head cluster then should I enable the search head on all 3 search heads ?

0 Karma

harsmarvania57
Ultra Champion

On which node you are configuring MC ? You can't setup MC on Search Head Cluster members.

0 Karma

damode
Motivator

oh sorry I am mistaken. did you mean enabling search head on the MC ?

0 Karma

harsmarvania57
Ultra Champion

Yes, MC is kind of search head only but The instance hosting the monitoring console must not run any searches unrelated to its function as monitoring console. The exception to this rule is if you are using the console to monitor a standalone single-instance deployment.

0 Karma

damode
Motivator

Got it. I am already running a dedicated MC separate to a SHC I have deployed.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...