Splunk Enterprise Security

getting replication error on DMC host only for ES SH. unable to get this host added as search peers.

maniyavar
Explorer

Hi Everyone,

I am configuring ES SH on DMC . Distributed search » Search peers. but it is failing "replication status =failed".

i checked the connectivity from DMC host -> ES SH which looks good.

this is below error in _internal logs.
02-19-2020 12:13:38.522 -0500 WARN DistributedPeerManager - Unable to distribute to peer named at uri https://searchPeer_ES_SH:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_HTTP_REPLY_ERROR_CODE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information.

Only ES SH(stand alone) is not able to be added to DMC . I am able to add indexers and Other management instances.
Please suggest to resolve this.

Thanks in advance.

0 Karma

maniyavar
Explorer

I added the host as peer on dmc by giving Admin password. But bundle replication status=failed .

I am not sure why bundle is unable to push from dmc to ES host

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Ensure the pass4SymmKey in the [general] stanza matches that of the rest of the cluster. This must be the same across all related nodes to be recognized as a member of the overall cluster.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

codebuilder
SplunkTrust
SplunkTrust

On your DMC go to Settings > Distributed Search > Search Peers > Add New Peer

(in my opinion the terminology here becomes confusing because a "peer" normally means an indexer).

That aside, from the Add New Peer interface, enter the full URI to your node: https://host.name:8089 and enter the Splunk admin account username/password.

After that, ensure that the node is recognized by the DMC as having the appropriate role. From the DMC > Settings > DMC > Settings (black bar) > General Setup >

Find your node name, and on the far right, select "edit", then check/uncheck the appropriate roles.

Once completed, it'll take 5 or 10 minutes to update as the DMC pulls logs from the node/indexers.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...