Splunk Search
Highlighted

Set up a Distributed Peer, when Search Head is Part of a Cluster

Path Finder

I have a Cluster which has 3 Indexers and a Search Head on the east coast, I also have a single stand alone server (Indexer & Search Head) on the West Coast.

I was able to set up on the West coast server the three Indexers as distributed search peers, and able to search all three of them for any of the indexes.

But I don't have the ability to configure the West Coast Indexer on the East Coast Search Head that is part of the cluster.

How or what is the right way to do this?

0 Karma
Highlighted

Re: Set up a Distributed Peer, when Search Head is Part of a Cluster

Splunk Employee
Splunk Employee

When you're using a clustered setup, the search head pretty much ignores distsearch.conf, the traditional means of specifying search peers. It can only contact indexers that are part of a cluster. A lot of people, when migrating from a traditional distributed search set up, to one involving clusters, employ a holdover "cluster of one". This is a cluster master, specifying a replication factor of one (1) and a search factor of one (1), with only the standalone indexers as peers. This means that the indexers function as they used to, while, satisfying the "must be clustered" requirement for the search head to search across all of them.

To employ this strategy, you would need to create a "cluster of one" on the West Coast, and direct the East Coast SH to contact that cluster master. The configuration in the server.conf of the East Coast SH would look like this:

[clustering]
mode = searchhead
master_uri = clustermaster:west-coast.cluster.master:port, clustermaster:east-coast.cluster.master:port

View solution in original post

Highlighted

Re: Set up a Distributed Peer, when Search Head is Part of a Cluster

Path Finder

Great answer. I did not think of that, given you would logically consider a cluster to have a minimum of 2 indexers.

What I ended up doing on the East Coast was removing the Search Head from the Cluster, and configuring the SH using the distsearch.conf file to manually point to my 3 East coast cluster indexers, and the single West coast stand alone indexer.

Do you see anything wrong with this method?

0 Karma
Highlighted

Re: Set up a Distributed Peer, when Search Head is Part of a Cluster

Splunk Employee
Splunk Employee

Strictly speaking, no, but it's not really in the clustering paradigm. 🙂

0 Karma
Highlighted

Re: Set up a Distributed Peer, when Search Head is Part of a Cluster

Splunk Employee
Splunk Employee

In Splunk 6 you can have a SH search both clustered peers and one-off indexers.

See here for more info

http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Configurethesearchhead#Search_across_both_cl...