Splunk Search

Mounted Bundle path - Search Head

Communicator

How does the search head know the location of the mounted bundle? When you configure the mounted bundle you add this stanza to the distsearch.conf on the search head:

[distributedSearch]
disabled_servers = pl-wlmsplpp02:8089
servers = pl-wlmsplpp03:8089,pl-wlmsplpp04:8089
shareBundles=false

Than on the search peers you would use the below:

[searchhead:pl-wlmsplpp01]
mounted_bundles=true
bundles_location=\PL-WLMSPLPP01\E$\splunk_knowledge_bundle

Our question is how does the search head know the location of teh mounted bundle? We are seeing changes - like adding a new field - are being saved to the local directory on the search head and not the mounted bundle. How can we point the search head to the mounted bundle location?

Explorer

Can we create a symlink in indexers for search peers bundles.

0 Karma

SplunkTrust
SplunkTrust

@divyavikas123 This thread is more than three years old. For a better chance at a helpful response, please post a new question describing your problem.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Engager

Thanks DaClyde. No correction needed. It was just the direction I needed to figure out how to mount bundles in Windows. For the benefit of future readers, here are the specific steps I took. This is for one search head (searcher01) and one search peer (indexer01) with Splunk installed on 😧 drives in both cases.

On the search head searcher01...
Created a share etc$ giving Everyone READ permissions

net share etc$="D:\Program Files\Splunk\etc" /GRANT:Everyone,READ

Then edited distsearch.conf to set shareBundle = false.

Notepad.exe "D:\Program Files\Splunk\etc\system\local\distsearch.conf"

    [distributedSearch]
    servers = indexer01:8089
    shareBundles = false

(I didn't know whether to remove "servers = indexer01:8089" above so I left it, apparently wthout adverse affect.)

On the search peer indexer01...
Created a new directory and then linked to search head's etc$ share...

D:
mkdir \shared-bundles
cd  \shared-bundles
mklink /D searcher01 \\searcher01\etc$

Created new file distsearch.conf with one stanza.

  Notepad.exe "D:\Program Files\Splunk\etc\system\local\distsearch.conf"

   [searchhead:searcher01]
   mounted_bundles = true
   bundles_location = d:\shared_bundles\searcher01

Contributor

As best as I can make out, the only way to make this work (since there is no configurable option in the search head as to where its ETC folder resides) is to use a symbolic link and mount the copy of the etc folder on the shared storage to where the search head would normally expect the etc folder to reside.

In Windows, there is now a mklink command for mounting a network share directly into the folder structure you want, similar to how *nix has always had.

If your knowledge bundle is here: \\NAS\KB\etc\

On the Windows you would use mklink something like this:

navigate to your %SPLUNK_HOME% location (something like C:\Program Files\Splunk) then execute the command from there:

mklink /D etc "\\NAS\KB\etc\"

So now, your C:\Program Files\Splunk\etc folder is actually a link to \\NAS\KB\etc, but the search head just sees it as a local folder (provided all the permissions are set properly to allow the search head to write to the shared storage).

Someone please correct me if this is incorrect. This was the best I could work out since the Splunk documentation always assumes the end-user already knows how to do everything non-Splunk related.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!