How does the search head know the location of the mounted bundle? When you configure the mounted bundle you add this stanza to the distsearch.conf on the search head:
disabled_servers = pl-wlmsplpp02:8089
servers = pl-wlmsplpp03:8089,pl-wlmsplpp04:8089
Than on the search peers you would use the below:
Our question is how does the search head know the location of teh mounted bundle? We are seeing changes - like adding a new field - are being saved to the local directory on the search head and not the mounted bundle. How can we point the search head to the mounted bundle location?
@divyavikas123 This thread is more than three years old. For a better chance at a helpful response, please post a new question describing your problem.
Thanks DaClyde. No correction needed. It was just the direction I needed to figure out how to mount bundles in Windows. For the benefit of future readers, here are the specific steps I took. This is for one search head (searcher01) and one search peer (indexer01) with Splunk installed on 😧 drives in both cases.
On the search head searcher01...
Created a share etc$ giving Everyone READ permissions
net share etc$="D:\Program Files\Splunk\etc" /GRANT:Everyone,READ
Then edited distsearch.conf to set shareBundle = false.
Notepad.exe "D:\Program Files\Splunk\etc\system\local\distsearch.conf" [distributedSearch] servers = indexer01:8089 shareBundles = false
(I didn't know whether to remove "servers = indexer01:8089" above so I left it, apparently wthout adverse affect.)
On the search peer indexer01...
Created a new directory and then linked to search head's etc$ share...
D: mkdir \shared-bundles cd \shared-bundles mklink /D searcher01 \\searcher01\etc$
Created new file distsearch.conf with one stanza.
Notepad.exe "D:\Program Files\Splunk\etc\system\local\distsearch.conf" [searchhead:searcher01] mounted_bundles = true bundles_location = d:\shared_bundles\searcher01
As best as I can make out, the only way to make this work (since there is no configurable option in the search head as to where its ETC folder resides) is to use a symbolic link and mount the copy of the etc folder on the shared storage to where the search head would normally expect the etc folder to reside.
In Windows, there is now a mklink command for mounting a network share directly into the folder structure you want, similar to how *nix has always had.
If your knowledge bundle is here: \\NAS\KB\etc\
On the Windows you would use mklink something like this:
navigate to your %SPLUNK_HOME% location (something like C:\Program Files\Splunk) then execute the command from there:
mklink /D etc "\\NAS\KB\etc\"
So now, your C:\Program Files\Splunk\etc folder is actually a link to \\NAS\KB\etc, but the search head just sees it as a local folder (provided all the permissions are set properly to allow the search head to write to the shared storage).
Someone please correct me if this is incorrect. This was the best I could work out since the Splunk documentation always assumes the end-user already knows how to do everything non-Splunk related.