Splunk Enterprise Security

Use Monitoring Console to monitor a Search Head with Enterprise Security

SplunkTrust
SplunkTrust

Hi at all,
I have the following architecture:

  • 2 clustered Indexers,
  • 2 Search Heads,
  • 1 Master Node,
  • 1 Deployment Server.

My architecture has been correctly running from last year.
I leave this customer for many months and in the meanwhile a colleague installed Enterprise Security on Search Head 2 and it correctly runs.
My problem is that Monitoring Console (installed on Master Node) can no longer see SH2.
I troubleshooted this problem and I found that the REST commands from Monitoring Console don't reach SH2.
There aren't port configuration changes.
Is there something on Enterprise Security that modify REST access?
Could be SSL the problem ? SH12 uses SSl and correctly runs!

Anybody can give me some idea to troubleshoot this problem?

Bye.
Giuseppe

0 Karma

Splunk Employee
Splunk Employee

You will have to update the saved search and change the REST endpoint.
From:
/services/alerts/correlationsearches
To:
/services/saved/searches
Update the savedsearch as below:
| rest splunk_server=local count=0 /services/saved/searches | search action.correlationsearch.enabled = 1 | stats count as total, count(eval(disabled=0)) as enabled | eval op = enabled . "/" . total | fields op

Ref: https://docs.splunk.com/Documentation/ESHealthCheck/1.0.0/UserGuide/Releasenotes

SplunkTrust
SplunkTrust

Hi lmethwani [Splunk],
Thank you for your answer.
The search you suggested gives me 0 results using splunk_server=local, splunk_server=sh1 and splunk_server=sh2 from the Master Node (where Monitoring Console is installed).
I'm running the main REST command (without the piped commands) and I have results using splunk_server=sh1 (my main Search Head) but I haven't any answer using splunk_server=sh2 (the SH where is installed ES).
It seems like remote REST command interface is disabled on SH2 (locally REST command are OK).

The link you suggested isn't reachable.

Bye.
Giuseppe

0 Karma

Splunk Employee
Splunk Employee

I am able to access the link. However, the link says to update the REST endpoint

2017-05-10 SOLNESS-12056, SOLNESS-12106 On instances running Splunk Enterprise Security 4.6.0 or later, the Get Enabled Correlation Searches panel does not show results.
Workaround:
Replace the search with the following syntax: | rest splunk_server=local count=0 /services/saved/searches | search action.correlationsearch.enabled = 1 | stats count as total, count(eval(disabled=0)) as enabled | eval op = enabled . "/" . total | fields op

0 Karma

SplunkTrust
SplunkTrust

Hi lmethwani [Splunk],
About the link, it addresses the main documentation page (?).
Locally runnning the search you suggested, I have 412 results.
I don't understand why you suggest to replace this search on the ES Search Head, I think that my problem is probably different:
From my Monitoring Console (that's on a different server not the SHs) all the REST command to the SH2 (the one with ES) gives no results, it seems that there's something strange in SSL configs.

Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

One additional information:
I found that trying to use REST command from an SH to the other (both SH1->SH2 and SH2->SH1) I haven't any result.
Instead they runs on local and to the other Splunk servers (without SSL).
It seems that there's something wrong in SSL configuration using REST.

Bye.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!