Monitoring Splunk

What are the steps to install Monitoring Console on the License Master instance?

abhi04
Communicator

We are building the splunk clustered environment for dev environment. We have a License Master setup. We want the Monitoring console to be setup on the same License master instance. Please let me know what are the steps to be followed for that?

Thanks in advance.

Labels (1)
0 Karma

straitsresearch
Engager

I hope this could help you out.

Most Common Implementation and Deployment Framework

Install splunk enterprise on license master and configure license master
Install splunk enterprise on indexers and configure indexers (alternatively for indexer cluster, install Splunk enterprise on cluster master and indexers and configure indexer cluster)
Install splunk enterprise on search heads and configure search heads
Install splunk enterprise on deployment server and configure deployment server
Install splunk universal forwarder on input devices and configure universal forwarders to connect to deployment server and to forward to indexers
Install Splunk enterprise on DMC monitoring console server and configure monitoring console
(Optional) – Install Splunk enterprise on heavy forwarders and configure heavy forwarders

Install and Configure Splunk Indexer

Install Splunk Enterprise on Linux Server (If you need to create a Linux Server first, visit ___)
Configure Splunk Instance to be an Indexer
Connect Splunk Indexer to Splunk Search Head (Must Configure Search Headfirst, see instructions here)
Peer Splunk Indexer to DMC (Monitoring Console) for monitoring

woodcock
Esteemed Legend

Go to Settings -> Search peers and ensure that ALL Splunk infrastructure nodes are peers. When you peer the Cluster Master, the Indexers should peer in, but if not, add those, too.
Go to Monitoring Console -> Setup -> General Setup and select Distributed Mode then edit each peer to manually assign the correct roles. Click Apply and then PROFIT!!!

Also see here:
https://answers.splunk.com/answers/702341/turn-on-monitoring-console-distributed-mode-via-cl.html

abhi04
Communicator

@woodcock , but the monitoring console is to be shared with License master. The clustered indexers cannot be added.For monitoring an indexer cluster and you are hosting the monitoring console on an instance other than the cluster master, you must add the cluster master as a search peer and you must configure the monitoring console instance as a search-head in that cluster.

So, I believe in my case the License master needs to be added as a search head cluster as the DMC needs to be configured in this same instance.
So, Can the License master be added as a search head cluster?

0 Karma

woodcock
Esteemed Legend

You are mixing up concepts and terms. There is no such thing as a management console so I have no idea what you mean there. A License Master already IS a Search Head, it just doesn't have any peers by default and you need to change that in order for it to also become the Monitoring Console. I have done this many times. Just add the peers (either directly, or via the Cluster Master) and run the setup.

abhi04
Communicator

I am sorry, just corrected the "management" to "monitoring". What I meant is that the clustered indexers cannot be added to the search peers directly in the splunk instance web where monioring console needs to be setup. The cluster master needs to be added as a search peer in the monitoring console. Please correct me if I am wrong here.

0 Karma

woodcock
Esteemed Legend

You can do either; it is your choice. Personally, I don't trust the Cluster Master and I directly peer. Old habits die hard but you do you.

0 Karma

abhi04
Communicator

Ok, so we can also add indexers which are clustered directly as search peers individually?

0 Karma

woodcock
Esteemed Legend

Yes, that way if you have an event where your splunk servers bounce and the Cluster Master does not come back, you the Monitoring Console will still see the Indexers.

0 Karma

abhi04
Communicator

@woodcock Thanks for the response 🙂 I have added the instances individually and can see the data for those instances in Monitoring Console now. I will be greatful If you could give an insight on the below doubts as well.

  1. What server roles needs to assigned to each instance. The KV roles are to be set only for the search head?

  2. While Applying Changes I got an error message for one of the search heads that said "Atleast one of the instance is not forwarding its internal logs". But I do see the data and graphs for the servers in the Monitoring Console.

0 Karma

woodcock
Esteemed Legend

Search Heads should get Search Head and KV Store, everything else should be obvious. You probably have Search Heads that do not have outputs.conf to send their logs to the Indexers which is the warning and you should fix that. Yes, EVERY node should be added as a search peer. Even your Heavy Forwarders which should be set as Indexer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The process is the same no matter where you install the MC. See https://docs.splunk.com/Documentation/Splunk/8.0.0/DMC/Configureindistributedmode for the instructions.

---
If this reply helps you, Karma would be appreciated.
0 Karma

abhi04
Communicator

@richgalloway , thanks for the quick reply. So, I just need to login to the License Master GUI and follow the steps? Just want to make sure.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That is correct. You will need credentials for all of the other instances so you can add them as search peers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...