Splunk Enterprise Security

getting replication error on DMC host only for ES SH. unable to get this host added as search peers.

maniyavar
Explorer

Hi Everyone,

I am configuring ES SH on DMC . Distributed search » Search peers. but it is failing "replication status =failed".

i checked the connectivity from DMC host -> ES SH which looks good.

this is below error in _internal logs.
02-19-2020 12:13:38.522 -0500 WARN DistributedPeerManager - Unable to distribute to peer named at uri https://searchPeer_ES_SH:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_HTTP_REPLY_ERROR_CODE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information.

Only ES SH(stand alone) is not able to be added to DMC . I am able to add indexers and Other management instances.
Please suggest to resolve this.

Thanks in advance.

0 Karma

maniyavar
Explorer

I added the host as peer on dmc by giving Admin password. But bundle replication status=failed .

I am not sure why bundle is unable to push from dmc to ES host

0 Karma

codebuilder
Influencer

Ensure the pass4SymmKey in the [general] stanza matches that of the rest of the cluster. This must be the same across all related nodes to be recognized as a member of the overall cluster.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

codebuilder
Influencer

On your DMC go to Settings > Distributed Search > Search Peers > Add New Peer

(in my opinion the terminology here becomes confusing because a "peer" normally means an indexer).

That aside, from the Add New Peer interface, enter the full URI to your node: https://host.name:8089 and enter the Splunk admin account username/password.

After that, ensure that the node is recognized by the DMC as having the appropriate role. From the DMC > Settings > DMC > Settings (black bar) > General Setup >

Find your node name, and on the far right, select "edit", then check/uncheck the appropriate roles.

Once completed, it'll take 5 or 10 minutes to update as the DMC pulls logs from the node/indexers.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...