Knowledge Management

servers-attribute of distsearch.conf not visible

vicky05ssr
Explorer

Hello I need a small clarification over distsearch.conf.

As per the documentation, to connect the SH with Indexer. One can configure in SH using any of the 3 ways : CLI, GUI & Conf file. The doc nicely describes it, Thanks for that.

In my case, the splunk env was already setup in my organisation. Now I am not aware which way was followed for adding search peer to search head.

Now in the SH GUI the "settings-->Distributed search-->Search peers" server entry is visible, and also the SH fetches the data from Indexer nicely. But my problem is I am not able to find out in which conf file that server settings are stored.

I tried to locate the distsearch.conf inside whole of splunk dir, but I could not find the server settings in anywhere. Further I tried to debug with btool cmd in SH and was surprised to see, even in that the servers settings are not visible.

Summarizing the Problem : The setting is visible in GUI, but no clue in which conf file that setting is getting stored.

0 Karma

vicky05ssr
Explorer

Thanks for your reply. I did try that, but no entries for servers in the output of above cmd. I have put the output of the above cmd below and also the settings from the GUI.

The GUI shows the settings, but the conf file doesn't have it stored anywhere.

GUI proof:

alt text

CMD output :

`[splunk@test_serverSH bin]$ ./splunk btool distsearch list --debug
/opt/splunk/etc/system/default/distsearch.conf [bundleEnforcerBlacklist]
/opt/splunk/etc/system/default/distsearch.conf [bundleEnforcerWhitelist]
/opt/splunk/etc/system/default/distsearch.conf [distributedSearch]
/opt/splunk/etc/system/default/distsearch.conf authTokenConnectionTimeout = 5
/opt/splunk/etc/system/default/distsearch.conf authTokenReceiveTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf authTokenSendTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf bestEffortSearch = false
/opt/splunk/etc/system/default/distsearch.conf connectionTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf disabled = false
/opt/splunk/etc/system/default/distsearch.conf peerResolutionThreads = 0
/opt/splunk/etc/system/default/distsearch.conf receiveTimeout = 600
/opt/splunk/etc/system/default/distsearch.conf sendTimeout = 30
/opt/splunk/etc/system/default/distsearch.conf serverTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf servers =
/opt/splunk/etc/system/default/distsearch.conf shareBundles = true
/opt/splunk/etc/system/default/distsearch.conf statusTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf useSHPBundleReplication = true
/opt/splunk/etc/system/default/distsearch.conf [replicationBlacklist]
/opt/splunk/etc/system/default/distsearch.conf conf = (system|(apps/))/(default|local)/server.conf
/opt/splunk/etc/system/default/distsearch.conf framework = apps/framework/...
/opt/splunk/etc/system/default/distsearch.conf sampleapp = apps/sample_app/...
/opt/splunk/etc/system/default/distsearch.conf user_specific_meta = users(/_reserved)?/
//metadata/local.meta
/opt/splunk/etc/system/default/distsearch.conf [replicationSettings]
/opt/splunk/etc/system/default/distsearch.conf allowDeltaUpload = true
/opt/splunk/etc/system/default/distsearch.conf allowSkipEncoding = true
/opt/splunk/etc/system/default/distsearch.conf allowStreamUpload = auto
/opt/splunk/etc/system/default/distsearch.conf concerningReplicatedFileSize = 50
/opt/splunk/etc/system/default/distsearch.conf connectionTimeout = 60
/opt/splunk/etc/system/default/distsearch.conf maxBundleSize = 1024
/opt/splunk/etc/system/default/distsearch.conf maxMemoryBundleSize = 10
/opt/splunk/etc/system/default/distsearch.conf replicationThreads = 5
/opt/splunk/etc/system/default/distsearch.conf sanitizeMetaFiles = true
/opt/splunk/etc/system/default/distsearch.conf sendRcvTimeout = 60
/opt/splunk/etc/system/default/distsearch.conf [replicationSettings:refineConf]
/opt/splunk/etc/system/default/distsearch.conf replicate.app = true
/opt/splunk/etc/system/default/distsearch.conf replicate.authorize = true
/opt/splunk/etc/system/default/distsearch.conf replicate.collections = true
/opt/splunk/etc/system/default/distsearch.conf replicate.commands = true
/opt/splunk/etc/system/default/distsearch.conf replicate.eventtypes = true
/opt/splunk/etc/system/default/distsearch.conf replicate.fields = true
/opt/splunk/etc/system/default/distsearch.conf replicate.literals = true
/opt/splunk/etc/system/default/distsearch.conf replicate.multikv = true
/opt/splunk/etc/system/default/distsearch.conf replicate.props = true
/opt/splunk/etc/system/default/distsearch.conf replicate.segmenters = true
/opt/splunk/etc/system/default/distsearch.conf replicate.tags = true
/opt/splunk/etc/system/default/distsearch.conf replicate.transactiontypes = true
/opt/splunk/etc/system/default/distsearch.conf replicate.transforms = true
/opt/splunk/etc/system/default/distsearch.conf [replicationWhitelist]
/opt/splunk/etc/system/default/distsearch.conf other = (system|(apps/(?!pdfserver)
)|users(/_reserved)?//)/(bin|lookups)/...
/opt/splunk/etc/system/default/distsearch.conf refine.conf = (system|(apps/)|users(/_reserved)?//)/(default|local)/.conf
/opt/splunk/etc/system/default/distsearch.conf refine.metadata = (system|(apps/)|users(/_reserved)?//)/metadata/.meta
/opt/splunk/etc/system/default/distsearch.conf searchscripts = searchscripts/...
/opt/splunk/etc/system/default/distsearch.conf [tokenExchKeys]
/opt/splunk/etc/system/default/distsearch.conf certDir = $SPLUNK_HOME/etc/auth/distServerKeys
/opt/splunk/etc/system/default/distsearch.conf genKeyScript = $SPLUNK_HOME/bin/splunk, createssl, audit-keys
/opt/splunk/etc/system/default/distsearch.conf privateKey = private.pem
/opt/splunk/etc/system/default/distsearch.conf publicKey = trusted.pem

[splunk@test_serverSH bin]$ `

0 Karma

micahkemp
Champion

splunk btool distsearch list --debug

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...