Splunk Enterprise

How to connect a SHC to Indexer cluster?

vinothkumark
Path Finder

Hi All,

I need to connect a new indexer cluster which are in GCP to an existing splunk SHC. I read the below document.

Integrate the search head cluster with an indexer cluster - Splunk Documentation

Integrate with a single-site indexer cluster

Do I need to execute on all the SHC and then do a rolling restart? OR I need to execute on one SH, perform the restart and then follow the same on other SH? also, do I need to start with captain or non-captain?

There is one more way, via GUI part:

Enable the search head - Splunk Documentation

It didn't mention whether I need to apply this on only one SH which is in cluster or on all the SH. can anyone help me with this? Thanks. 


0 Karma

burwell
SplunkTrust
SplunkTrust

Hi. The way we do it is with an app that we put on the Splunk deployer in a special app e.g. /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf

Next we deploy  the app to the search head cluster members. The deployer will determine whether a rolling restart of the heads is needed.

So we follow this https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuresearchheadwithserverconf

For example this goes in /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf

[clustering]
manager_uri = https://indexer_cluster_manager_url:8089
mode = searchhead
pass4SymmKey = whatever

 

isoutamo
SplunkTrust
SplunkTrust

Here are instructions for connecting to multiple clusters both single and multi sites. https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuremulti-clustersearch

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...