Solved: Working with Search Head cluster - Replication iss...

VijaySrrie · ‎05-17-2021

Hi,

I have created a KVstore in Search Head deployer, that KVstore is not replicated to Search heads.

The below setting is given as "true" in Search Head deployer.

conf_replication_include.lookups = true

What else need to be changed?

lakshman239 · ‎05-19-2021

Not sure what you mean by 'Search Heads are not reported to deployer'.?

I assume you are are setting up the deployer and SHC from scratch as per the doc - https://docs.splunk.com/Documentation/Splunk/8.2.0/DistSearch/SHCdeploymentoverview

The only thing I notice is you are using http instead of https in conf_deploy_fetch_url http://deployerIPaddress:8089. Is the deployer not running https?

is the SHC status healthy? whats the output of the kvstatus command?

If you create a lookup in one of the SHC member via UI, does that get replicated to the other 2 members? If so, replication of lookups/knowledge objects works [ you can test for dashboards etc..]

Have you then followed up the doc to connect to cluster master/indexers?

View solution in original post

VijaySrrie · ‎05-18-2021

Hi @lakshman239

KVstore is working fine in the deployer.

Search Heads are not reported to deployer, I have followed the below steps even after that, search heads are not reporting.

In deployer --> server.conf

[shclustering]
pass4SymmKey = passkey
shcluster_label = shcluster1

In Search Heads - 3 search Heads

./splunk init shcluster-config -auth admin:password -mgmt_uri https://SH1-IPaddress:8089 -replication_port 34567 -replication_factor 3 -conf_deploy_fetch_url http://deployerIPaddress:8089 -secret passkey -shcluster_label shcluster1

./splunk restart

./splunk init shcluster-config -auth admin:password -mgmt_uri https://SH2-IPaddress:8089 -replication_port 34567 -replication_factor 3 -conf_deploy_fetch_url http://deployerIPaddress:8089 -secret passkey -shcluster_label shcluster1

./splunk restart

./splunk init shcluster-config -auth admin:password -mgmt_uri https://SH3-IPaddress:8089 -replication_port 34567 -replication_factor 3 -conf_deploy_fetch_url http://deployerIPaddress:8089 -secret passkey -shcluster_label shcluster1
./splunk restart

./splunk bootstrap shcluster-captain -servers_list "https://SH1-IPaddress:8089,https://SH2-IPaddress:8089,https://SH3-IPaddress:8089" -auth admin:password

./splunk show shcluster-status -auth admin:password

./splunk show kvstore-status -auth admin:password

lakshman239 · ‎05-19-2021

Not sure what you mean by 'Search Heads are not reported to deployer'.?

I assume you are are setting up the deployer and SHC from scratch as per the doc - https://docs.splunk.com/Documentation/Splunk/8.2.0/DistSearch/SHCdeploymentoverview

The only thing I notice is you are using http instead of https in conf_deploy_fetch_url http://deployerIPaddress:8089. Is the deployer not running https?

is the SHC status healthy? whats the output of the kvstatus command?

If you create a lookup in one of the SHC member via UI, does that get replicated to the other 2 members? If so, replication of lookups/knowledge objects works [ you can test for dashboards etc..]

Have you then followed up the doc to connect to cluster master/indexers?

lakshman239 · ‎05-18-2021

Hi @VijaySrrie, we don't need to explicitly define conf_replication_include.lookups = true, as this is already defined in etc/system/default/server.conf .

You would need to ensure the collections.conf and transforms.conf have the correct/required conf - Have a look at the docs and https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/usingconfigurationfiles/

Working with Search Head cluster - Replication issue

troubleshooting

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?