Monitoring Splunk

Monitoring Console (MC) not recognizing Search Head Cluster (SHC) Label

sloshburch
Splunk Employee
Splunk Employee

I'm guessing I'm overlooking something obvious here, so reaching out to the community for an extra set of eyes.

I have the label set on the shcluster_label set on the deployer but the "Search Head Cluster(s)" column in the MC Setup never shows the label. As such, I get the warning that "This instance is a search head deployer without a search head cluster label. We recommend you edit this instance to set its search head cluster label."

I even set the shcluster_label in $SPLUNK_HOME/etc/system/local/server.conf. It matches the value on the SHC members. Btool shows it loading correctly. Deployer and SHC members all show site = site0 (as desired).

I even tried the instructions on http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/SHCconfigurationoverview#Set_the_searc... for post setting the label after building the cluster.

Am I overlooking something? Anyone see anything I'm not?

1 Solution

jawaharas
Motivator

This worked for me.

In the Splunk Monitoring Console app,

Navigate to Settings -> General setup
Click Edit -> Edit Instance on 'SHC Deployer' instance's entry
Enter the Search Head Cluster's label in the pop-up window and save.

Below warning won't appear after that.

"At least one of your instances is a search head deployer without a search head cluster label"

View solution in original post

0 Karma

mustapha_arakji
Splunk Employee
Splunk Employee

Same issue here. Even after "Apply Changes" still getting the warnings.

I managed to fix it from Monitoring Console > General Setup > Edit > "Disable Monitoring", then "Enable Monitoring" for each search head and the deployer! (make sure to review the roles after you do this step).

 

0 Karma

jawaharas
Motivator

This worked for me.

In the Splunk Monitoring Console app,

Navigate to Settings -> General setup
Click Edit -> Edit Instance on 'SHC Deployer' instance's entry
Enter the Search Head Cluster's label in the pop-up window and save.

Below warning won't appear after that.

"At least one of your instances is a search head deployer without a search head cluster label"

0 Karma

sloshburch
Splunk Employee
Splunk Employee

What release are you on? It works for me on 7.3 so maybe it's now fixed.

0 Karma

jawaharas
Motivator

We are using 7.1.1

0 Karma

ghantk1
Explorer

Most often this is fixed by apply changes and you have proper roles. Check the permissions on assets.csv under $SPLUNK_HOME/etc/apps/splunk_monitoring_console/lookups and also doublecheck to see if the entry for shcluster exists in the assets.csv.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I've opened a ticket for this one.

0 Karma

rrthokala
New Member

What was the solution for this?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

No update yet. A work effort for the fix is in the queue and I used your query to ask for an update.

0 Karma

Robbie1194
Communicator

Was a solution ever found for this because I'm getting the exact same issue.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Not yet. I'm checking again with the product team 😞

0 Karma

ypeng_splunk
Splunk Employee
Splunk Employee

Any solution from the ticket?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Nothing told to me. But I'll pester again.

0 Karma

ypeng_splunk
Splunk Employee
Splunk Employee

I remember it was alright when I did the same based on v7.2.0 weeks ago. Today, I got the same issue reported by one of my friends for v7.2.3. Just add more info here. I will built a docker cluster soon to see what's going on.

0 Karma

mattymo
Splunk Employee
Splunk Employee

Have you tried the magic "apply settings/changes" in General Setup of the MC to see if it will take the settings?

- MattyMo
0 Karma

sloshburch
Splunk Employee
Splunk Employee

🙂 It's actually once you apply such config that these messages present themselves. So, yea, I tried that but no luck.

0 Karma

woodcock
Esteemed Legend

This is the universe's way of telling you "Seach Head Clustering is bad mojo; turn back now or forever be filled with regret!"

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Oh you silly goose.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...