Hi,
from my old standalone Splunk system I'll migrate to an Splunk Cluster with the following Systems;
- 1 Searchhead
- 1 Masternode
- 3 Peernodes
In my old system I've multiple roles with different access permissions on base of indices. In the role configuration I can simple activate permission on an index or not.
In the new cluster the indices will been configured at the master node within "../etc/master-apps/*".
Here are my questions:
- Have I anywhere in Splunk an graphical interface to manage the indizes which will been replicated? Under Settings -> Indices I can only see the local indices but not the replicated ones.
- The permissions for the cluster will be configured at the searchhead, correct? If I must now configure a new role which have for example only permissions to the index "cluster_index_1" I can not simple activate the index in the role configuration because my system does not see all the available indices. Is it neccessary to create at the searchhead all the indices which are available in the cluster so that I can choose them in the role configuration?
For me the configuration of an Splunk cluster is currently not a straight forward thing. There are different locations where I must configure something.
Thanks and best regards
seilemor
Hi @seilemor,
1.) You mentioned that you are not able to see replicated indices Under Settings -> Indices, can you please define "replicated indices" and on which splunk server are you checking this?
2.) Yes, you can just assign index to existing role or create new role on search head with require indexes but as you mentioned that you are not able to see all indexes while configuring role, so can you please let us know how your search head is connected with indexers ? You need to configure search head so it will point to cluster master and search data from Indexer cluster. Please refer http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configuresearchheadwithserverconf
EDIT: 1.) I have provided wrong link to integrate standalone search head with Indexer cluster.
2.) Provided correct URL to configure search head with indexer lcuster.
Hi @seilemor,
1.) You mentioned that you are not able to see replicated indices Under Settings -> Indices, can you please define "replicated indices" and on which splunk server are you checking this?
2.) Yes, you can just assign index to existing role or create new role on search head with require indexes but as you mentioned that you are not able to see all indexes while configuring role, so can you please let us know how your search head is connected with indexers ? You need to configure search head so it will point to cluster master and search data from Indexer cluster. Please refer http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configuresearchheadwithserverconf
EDIT: 1.) I have provided wrong link to integrate standalone search head with Indexer cluster.
2.) Provided correct URL to configure search head with indexer lcuster.
Hi and thanks for the quick answer.
With an replicated index I mean these Indices which will been mirrored on my peernodes. I can see these indices within "Settings -> Distributed Environment -> Indexer Clustering -> Indexes". I search for the indices on the masternode.
Searching data from the searchhead is possible. It is only the question how can I restrict some roles and users to specific Indices which are replicated from my masternode to my peernodes. I think that this is only possible if I also create the Indices on my searchhead (only that they are available and can be choosen in the role configuration, for example with a size of 1MB because I only use them to control the permissions. ).
1.) Indexes which are showing on Cluster Master Settings -> Distributed Environment -> Indexer Clustering -> Indexes
those indexes are available on Indexers and if you go to Settings -> Indexes
on Cluster Master you will able to see only local indexes which are available on Cluster Master.
2.) Why you are applying role configuration from Cluster Master to Indexer ? Role configuration is only require on Search Head and when search head tries to search any data from indexers it will pass knowledge bundle which contains roles configuration and many other settings so you do not need to push role configuration from Cluster Master to Indexers.
I don't want apply role configuration from the cluster master to my indexer.
The requirement:
I want to have a Role A
and Role B
. Role A
have permissions to the Index 123
and Role B
should have permission for the Index ABC
. Both roles should not have permission to the other index.
Current configuration:
On my master node I have configured within $SPLUNKHOME/etc/master-apps/_cluster/local/indexes.conf
the neccessary Index 123
and Index ABC
. Both configurations have the configuration repFactor = auto
so that these index configuration will be replicated to the peer nodes. On my peer nodes I can see the configuration regarding the indices within Settings -> Indexes
.
To finalize my configuration I must now configure the roles at my searchhead regarding the described requirements.
Role A = Index 123
Role B = Index ABC
The problem:
Within my role configuration on my searchhead I don't see the available indices. That means that I can not choose within the role configuration for which index the role should been permitted.
Question:
How can I handle this problem?
You need to configure search head so it will point to cluster master and search data from Indexer cluster. Please refer http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configuresearchheadwithserverconf
Searching the data is not the problem. From the searchhead I can search all the data which are available on the peer nodes.
The problem is the permission of the users. I want that the user can only search within some dedicated indices. The user should not have the ability to search through all data which are available on the peer nodes.
ok, so can you please let me know when you try to configure role on Search Head are you able to see any indexes which are present on Indexers ? If not then can you please try to create blank Index 123
on search head and then try again to configure role.
EDIT: If you are running Splunk 7 then you are hitting bug ref link https://answers.splunk.com/answers/583581/indexes-are-not-available-to-select-from-available-1.html
Thats it. Thanks. I've the same issue as described in the linked question. I've also tested what happen if I manualy create the index as described from you. This will work for me. In my first question of this thread I only wanted to know if this is normal or if I have an issue in my configuration. Now I know that it is an bug.
Thanks, I have converted my comment to answer, if you are satisfied with the answer then please accept as answer and upvote.