Splunk Enterprise Security
Highlighted

Use Monitoring Console to monitor a Search Head with Enterprise Security

Legend

Hi at all,
I have the following architecture:

  • 2 clustered Indexers,
  • 2 Search Heads,
  • 1 Master Node,
  • 1 Deployment Server.

My architecture has been correctly running from last year.
I leave this customer for many months and in the meanwhile a colleague installed Enterprise Security on Search Head 2 and it correctly runs.
My problem is that Monitoring Console (installed on Master Node) can no longer see SH2.
I troubleshooted this problem and I found that the REST commands from Monitoring Console don't reach SH2.
There aren't port configuration changes.
Is there something on Enterprise Security that modify REST access?
Could be SSL the problem ? SH12 uses SSl and correctly runs!

Anybody can give me some idea to troubleshoot this problem?

Bye.
Giuseppe

0 Karma
Highlighted

Re: Use Monitoring Console to monitor a Search Head with Enterprise Security

Splunk Employee
Splunk Employee

You will have to update the saved search and change the REST endpoint.
From:
/services/alerts/correlationsearches
To:
/services/saved/searches
Update the savedsearch as below:
| rest splunk_server=local count=0 /services/saved/searches | search action.correlationsearch.enabled = 1 | stats count as total, count(eval(disabled=0)) as enabled | eval op = enabled . "/" . total | fields op

Ref: https://docs.splunk.com/Documentation/ESHealthCheck/1.0.0/UserGuide/Releasenotes

Highlighted

Re: Use Monitoring Console to monitor a Search Head with Enterprise Security

Legend

Hi lmethwani [Splunk],
Thank you for your answer.
The search you suggested gives me 0 results using splunkserver=local, splunkserver=sh1 and splunkserver=sh2 from the Master Node (where Monitoring Console is installed).
I'm running the main REST command (without the piped commands) and I have results using splunk
server=sh1 (my main Search Head) but I haven't any answer using splunk_server=sh2 (the SH where is installed ES).
It seems like remote REST command interface is disabled on SH2 (locally REST command are OK).

The link you suggested isn't reachable.

Bye.
Giuseppe

0 Karma
Highlighted

Re: Use Monitoring Console to monitor a Search Head with Enterprise Security

Legend

One additional information:
I found that trying to use REST command from an SH to the other (both SH1->SH2 and SH2->SH1) I haven't any result.
Instead they runs on local and to the other Splunk servers (without SSL).
It seems that there's something wrong in SSL configuration using REST.

Bye.
Giuseppe

0 Karma
Highlighted

Re: Use Monitoring Console to monitor a Search Head with Enterprise Security

Splunk Employee
Splunk Employee

I am able to access the link. However, the link says to update the REST endpoint

2017-05-10 SOLNESS-12056, SOLNESS-12106 On instances running Splunk Enterprise Security 4.6.0 or later, the Get Enabled Correlation Searches panel does not show results.
Workaround:
Replace the search with the following syntax: | rest splunk_server=local count=0 /services/saved/searches | search action.correlationsearch.enabled = 1 | stats count as total, count(eval(disabled=0)) as enabled | eval op = enabled . "/" . total | fields op

0 Karma
Highlighted

Re: Use Monitoring Console to monitor a Search Head with Enterprise Security

Legend

Hi lmethwani [Splunk],
About the link, it addresses the main documentation page (?).
Locally runnning the search you suggested, I have 412 results.
I don't understand why you suggest to replace this search on the ES Search Head, I think that my problem is probably different:
From my Monitoring Console (that's on a different server not the SHs) all the REST command to the SH2 (the one with ES) gives no results, it seems that there's something strange in SSL configs.

Bye.
Giuseppe

0 Karma