Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to connect a SHC to Indexer cluster?

vinothkumark
Path Finder
‎05-02-2023 10:23 AM

Hi All,

I need to connect a new indexer cluster which are in GCP to an existing splunk SHC. I read the below document.

Integrate the search head cluster with an indexer cluster - Splunk Documentation

Integrate with a single-site indexer cluster

Do I need to execute on all the SHC and then do a rolling restart? OR I need to execute on one SH, perform the restart and then follow the same on other SH? also, do I need to start with captain or non-captain?

There is one more way, via GUI part:

Enable the search head - Splunk Documentation

It didn't mention whether I need to apply this on only one SH which is in cluster or on all the SH. can anyone help me with this? Thanks. 


0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎05-02-2023 10:38 PM

Hi. The way we do it is with an app that we put on the Splunk deployer in a special app e.g. /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf

Next we deploy  the app to the search head cluster members. The deployer will determine whether a rolling restart of the heads is needed.

So we follow this https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuresearchheadwithserverconf

For example this goes in /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf

[clustering]
manager_uri = https://indexer_cluster_manager_url:8089
mode = searchhead
pass4SymmKey = whatever

 

Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-02-2023 10:48 PM

Here are instructions for connecting to multiple clusters both single and multi sites. https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuremulti-clustersearch

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...