Splunk Enterprise Security

getting replication error on DMC host only for ES SH. unable to get this host added as search peers.

maniyavar
Explorer

Hi Everyone,

I am configuring ES SH on DMC . Distributed search » Search peers. but it is failing "replication status =failed".

i checked the connectivity from DMC host -> ES SH which looks good.

this is below error in _internal logs.
02-19-2020 12:13:38.522 -0500 WARN DistributedPeerManager - Unable to distribute to peer named at uri https://searchPeer_ES_SH:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_HTTP_REPLY_ERROR_CODE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information.

Only ES SH(stand alone) is not able to be added to DMC . I am able to add indexers and Other management instances.
Please suggest to resolve this.

Thanks in advance.

0 Karma

maniyavar
Explorer

I added the host as peer on dmc by giving Admin password. But bundle replication status=failed .

I am not sure why bundle is unable to push from dmc to ES host

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Ensure the pass4SymmKey in the [general] stanza matches that of the rest of the cluster. This must be the same across all related nodes to be recognized as a member of the overall cluster.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

codebuilder
SplunkTrust
SplunkTrust

On your DMC go to Settings > Distributed Search > Search Peers > Add New Peer

(in my opinion the terminology here becomes confusing because a "peer" normally means an indexer).

That aside, from the Add New Peer interface, enter the full URI to your node: https://host.name:8089 and enter the Splunk admin account username/password.

After that, ensure that the node is recognized by the DMC as having the appropriate role. From the DMC > Settings > DMC > Settings (black bar) > General Setup >

Find your node name, and on the far right, select "edit", then check/uncheck the appropriate roles.

Once completed, it'll take 5 or 10 minutes to update as the DMC pulls logs from the node/indexers.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...