Solved: Working with Search Head cluster - Replication iss...

VijaySrrie · ‎05-17-2021

Hi,

I have created a KVstore in Search Head deployer, that KVstore is not replicated to Search heads.

The below setting is given as "true" in Search Head deployer.

conf_replication_include.lookups = true

What else need to be changed?

lakshman239 · ‎05-19-2021

Not sure what you mean by 'Search Heads are not reported to deployer'.?

I assume you are are setting up the deployer and SHC from scratch as per the doc - https://docs.splunk.com/Documentation/Splunk/8.2.0/DistSearch/SHCdeploymentoverview

The only thing I notice is you are using http instead of https in conf_deploy_fetch_url http://deployerIPaddress:8089. Is the deployer not running https?

is the SHC status healthy? whats the output of the kvstatus command?

If you create a lookup in one of the SHC member via UI, does that get replicated to the other 2 members? If so, replication of lookups/knowledge objects works [ you can test for dashboards etc..]

Have you then followed up the doc to connect to cluster master/indexers?

View solution in original post

VijaySrrie · ‎05-18-2021

Hi @lakshman239

KVstore is working fine in the deployer.

Search Heads are not reported to deployer, I have followed the below steps even after that, search heads are not reporting.

In deployer --> server.conf

[shclustering]
pass4SymmKey = passkey
shcluster_label = shcluster1

In Search Heads - 3 search Heads

./splunk init shcluster-config -auth admin:password -mgmt_uri https://SH1-IPaddress:8089 -replication_port 34567 -replication_factor 3 -conf_deploy_fetch_url http://deployerIPaddress:8089 -secret passkey -shcluster_label shcluster1

./splunk restart

./splunk init shcluster-config -auth admin:password -mgmt_uri https://SH2-IPaddress:8089 -replication_port 34567 -replication_factor 3 -conf_deploy_fetch_url http://deployerIPaddress:8089 -secret passkey -shcluster_label shcluster1

./splunk restart

./splunk init shcluster-config -auth admin:password -mgmt_uri https://SH3-IPaddress:8089 -replication_port 34567 -replication_factor 3 -conf_deploy_fetch_url http://deployerIPaddress:8089 -secret passkey -shcluster_label shcluster1
./splunk restart

./splunk bootstrap shcluster-captain -servers_list "https://SH1-IPaddress:8089,https://SH2-IPaddress:8089,https://SH3-IPaddress:8089" -auth admin:password

./splunk show shcluster-status -auth admin:password

./splunk show kvstore-status -auth admin:password

lakshman239 · ‎05-19-2021

Not sure what you mean by 'Search Heads are not reported to deployer'.?

I assume you are are setting up the deployer and SHC from scratch as per the doc - https://docs.splunk.com/Documentation/Splunk/8.2.0/DistSearch/SHCdeploymentoverview

The only thing I notice is you are using http instead of https in conf_deploy_fetch_url http://deployerIPaddress:8089. Is the deployer not running https?

is the SHC status healthy? whats the output of the kvstatus command?

If you create a lookup in one of the SHC member via UI, does that get replicated to the other 2 members? If so, replication of lookups/knowledge objects works [ you can test for dashboards etc..]

Have you then followed up the doc to connect to cluster master/indexers?

lakshman239 · ‎05-18-2021

Hi @VijaySrrie, we don't need to explicitly define conf_replication_include.lookups = true, as this is already defined in etc/system/default/server.conf .

You would need to ensure the collections.conf and transforms.conf have the correct/required conf - Have a look at the docs and https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/usingconfigurationfiles/

Working with Search Head cluster - Replication issue

troubleshooting

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes