Splunk Enterprise Security

getting replication error on DMC host only for ES SH. unable to get this host added as search peers.

Explorer

Hi Everyone,

I am configuring ES SH on DMC . Distributed search » Search peers. but it is failing "replication status =failed".

i checked the connectivity from DMC host -> ES SH which looks good.

this is below error in _internal logs.
02-19-2020 12:13:38.522 -0500 WARN DistributedPeerManager - Unable to distribute to peer named at uri https://searchPeer_ES_SH:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failedbecauseHTTPREPLYERROR_CODE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information.

Only ES SH(stand alone) is not able to be added to DMC . I am able to add indexers and Other management instances.
Please suggest to resolve this.

Thanks in advance.

0 Karma

Explorer

I added the host as peer on dmc by giving Admin password. But bundle replication status=failed .

I am not sure why bundle is unable to push from dmc to ES host

0 Karma

Motivator

Ensure the pass4SymmKey in the [general] stanza matches that of the rest of the cluster. This must be the same across all related nodes to be recognized as a member of the overall cluster.

0 Karma

Motivator

On your DMC go to Settings > Distributed Search > Search Peers > Add New Peer

(in my opinion the terminology here becomes confusing because a "peer" normally means an indexer).

That aside, from the Add New Peer interface, enter the full URI to your node: https://host.name:8089 and enter the Splunk admin account username/password.

After that, ensure that the node is recognized by the DMC as having the appropriate role. From the DMC > Settings > DMC > Settings (black bar) > General Setup >

Find your node name, and on the far right, select "edit", then check/uncheck the appropriate roles.

Once completed, it'll take 5 or 10 minutes to update as the DMC pulls logs from the node/indexers.

0 Karma