×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
dustymehul
Explorer
Member since: ‎05-14-2019
‎06-05-2020
Community Statistics
Posts 9
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎05-14-2019
Activity Feed
View All

Re: Custom authentication.conf for Search Head Clu...

by in Security
‎10-24-2019 05:09 AM
‎10-24-2019 05:09 AM
I would guess that your configuration is bringing in all AD groups for the organization. What we follow to to limit that is enforce a naming standard for AD groups that need access to splunk, In our instance, have the word Splunk in the AD group name. And then in the configuration, we filter groups having Splunk . This significantly decreases the number of AD groups that the system has to deal with. By default the limit is 1000. You can view more details of this in the following answer - https://answers.splunk.com/answers/666277/ldap-with-more-then-1000-groups.html Regarding the error, I have seen that occur when the system is at capacity. I would check resource utilization on your search head cluster. If you have high number of scheduled searches running, this might be eating up your CPU. Typically one search utilizes one CPU core. ... View more

Re: repFactor value with and without indexer disco...

by SplunkTrust in Deployment Architecture
‎07-16-2019 05:48 AM
‎07-16-2019 05:48 AM
Sending data to four indexers also impacts you. It's four times the license usage and you lose out on the security replication offers. Consider setting the useACK = true setting in inputs.conf. This will ensure the data is indexed before the forwarder moves on. Also consider using indexer discovery. This is where the cluster master tells the forwarders which indexer to use and is helpful when an indexer is down. Don't take down multiple Splunk servers at the same time, especially those in the same tier (indexer, search head, etc.). When an indexer is brought back on-line, allow time for rebalancing to occur before bringing down the next indexer. ... View more

Re: Reuse Splunk Instance

by Splunk Employee in Deployment Architecture
‎06-11-2019 12:10 PM
‎06-11-2019 12:10 PM
I'd be interested in understanding your reasons for preferring to reuse/cleanup rather than just install a new instance. ... View more

Re: Search head and Search Head Cluster to indexer...

by SplunkTrust in Deployment Architecture
‎05-26-2019 09:58 AM
‎05-26-2019 09:58 AM
https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/Migratefromstandalonesearchheads ... View more

Replicating Splunk Search Head (Not Clustering)

by in Splunk Enterprise
‎05-14-2019 04:52 AM
‎05-14-2019 04:52 AM
Hi, I am looking to replicate all the Search Head Configurations (Users, Roles, Dashboards, Apps etc) from one working Search Head to a new instance of Search Head as a part of Disaster Recovery. But, i am not looking to cluster them. I am looking for those files/directories that i can keep in sync on two Search Head servers so that all that is visible on SH1 is also visible via SH2. Please Help me find related documents for doing this. ... View more

Re: Splunk search heads "waiting for data..."

by in Deployment Architecture
‎06-20-2019 01:33 AM
‎06-20-2019 01:33 AM
For me its a new setup. i have a stand alone Search Head node running in parallel with SH-Cluster(new) over Indexer Cluster(old). Stand Alone SH Node has proper configurations and roles-index mapping. I am not sure, if i am facing the issue because of incorrect role mapping. Here are some observations - "sourcetype="mySourceType" " does not returns any event from new SH-Clustered node but, "index=* sourcetype="mySourceType" " returns correct events. Now my idea is to push the apps and user configurations from StandAlone SH Node to SH-Cluster nodes via Deployer. Although i am not sure if this will work ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to