Splunk Search

Set up a Distributed Peer, when Search Head is Part of a Cluster

jmsiegma
Path Finder

I have a Cluster which has 3 Indexers and a Search Head on the east coast, I also have a single stand alone server (Indexer & Search Head) on the West Coast.

I was able to set up on the West coast server the three Indexers as distributed search peers, and able to search all three of them for any of the indexes.

But I don't have the ability to configure the West Coast Indexer on the East Coast Search Head that is part of the cluster.

How or what is the right way to do this?

0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

When you're using a clustered setup, the search head pretty much ignores distsearch.conf, the traditional means of specifying search peers. It can only contact indexers that are part of a cluster. A lot of people, when migrating from a traditional distributed search set up, to one involving clusters, employ a holdover "cluster of one". This is a cluster master, specifying a replication factor of one (1) and a search factor of one (1), with only the standalone indexers as peers. This means that the indexers function as they used to, while, satisfying the "must be clustered" requirement for the search head to search across all of them.

To employ this strategy, you would need to create a "cluster of one" on the West Coast, and direct the East Coast SH to contact that cluster master. The configuration in the server.conf of the East Coast SH would look like this:

[clustering]
mode = searchhead
master_uri = clustermaster:west-coast.cluster.master:port, clustermaster:east-coast.cluster.master:port

View solution in original post

mahamed_splunk
Splunk Employee
Splunk Employee

In Splunk 6 you can have a SH search both clustered peers and one-off indexers.

See here for more info

http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Configurethesearchhead#Search_across_both_cl...

sowings
Splunk Employee
Splunk Employee

When you're using a clustered setup, the search head pretty much ignores distsearch.conf, the traditional means of specifying search peers. It can only contact indexers that are part of a cluster. A lot of people, when migrating from a traditional distributed search set up, to one involving clusters, employ a holdover "cluster of one". This is a cluster master, specifying a replication factor of one (1) and a search factor of one (1), with only the standalone indexers as peers. This means that the indexers function as they used to, while, satisfying the "must be clustered" requirement for the search head to search across all of them.

To employ this strategy, you would need to create a "cluster of one" on the West Coast, and direct the East Coast SH to contact that cluster master. The configuration in the server.conf of the East Coast SH would look like this:

[clustering]
mode = searchhead
master_uri = clustermaster:west-coast.cluster.master:port, clustermaster:east-coast.cluster.master:port

sowings
Splunk Employee
Splunk Employee

Strictly speaking, no, but it's not really in the clustering paradigm. 🙂

0 Karma

jmsiegma
Path Finder

Great answer. I did not think of that, given you would logically consider a cluster to have a minimum of 2 indexers.

What I ended up doing on the East Coast was removing the Search Head from the Cluster, and configuring the SH using the distsearch.conf file to manually point to my 3 East coast cluster indexers, and the single West coast stand alone indexer.

Do you see anything wrong with this method?

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...