Activity Feed
- Karma Re: Why receiving an ERROR when updating mmapv1 storage engine to wiredTiger? for TassiloM. 04-26-2024 12:30 AM
- Posted Re: Need help ingesting /var/log/mail.log.1 on Getting Data In. 02-27-2024 03:24 AM
- Posted Need help ingesting /var/log/mail.log.1 on Getting Data In. 02-27-2024 02:37 AM
- Posted Re: Splunk cluster master migration on Splunk Enterprise. 01-25-2024 11:46 PM
- Posted Re: Splunk cluster master migration on Splunk Enterprise. 01-25-2024 07:04 AM
- Karma Re: Splunk cluster master migration for isoutamo. 01-25-2024 07:04 AM
- Posted Re: Splunk cluster master migration on Splunk Enterprise. 01-24-2024 08:18 AM
- Posted Re: Splunk cluster master migration on Splunk Enterprise. 01-12-2024 04:20 AM
- Karma Re: Splunk cluster master migration for PickleRick. 01-12-2024 04:14 AM
- Karma Re: Splunk cluster master migration for isoutamo. 01-12-2024 04:14 AM
- Posted Re: Splunk cluster master migration on Splunk Enterprise. 01-08-2024 11:58 PM
- Posted Splunk cluster master migration on Splunk Enterprise. 01-08-2024 07:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
02-27-2024
03:24 AM
Thanks Giuseppe, I don't see any historical data in my index as yet, this is what's in the splunkd.log file
... View more
02-27-2024
02:37 AM
I have a number of log-rotated files for mail.log in the /var/log folder on a unix system. The /var/log/mail.log file gets ingested just fine, so I know permissions aren't an issue. However, I'd like to also ingest the older data that was log-rotated, but for the purpose of ingesting, those files were untarred again, so I have mail.log.1 to mail.log.4 I have tried numerous stanzas and regexes in the whitelist, but none lead to the older data getting ingested. The one I currently have in place is: [monitor:///var/log/] index = postfix sourcetype = postfix_syslog whitelist = (mail\.log$|mail\.log\.\d+) Thanks for any suggestions in advance.
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
-
whitelist
01-25-2024
11:46 PM
Yes, that was the documentation I was going on as well. As soon as I switched the old host to Standalone mode and configured Distributed mode on the new host, the indexers appeared, so that's the first part of the migration done anyway.
... View more
01-25-2024
07:04 AM
That's interesting, because I added all the Search heads to the new MC, plus the current cluster master and I don't see the indexers listed on the distributed mode. I guess it may come after I've completed the setup of distributed mode, but I need to make the new instance a search head first according to the documentation, so I'll start there.
... View more
01-24-2024
08:18 AM
I'm planning to move the MC role to the new server, however it needs to be configured as a search head to a multisite indexer cluster first. As far as I can gather from the documentation, https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/MultisiteCLI#Configure_the_search_heads I just need to run the CLI command mentioned there on the new host, changing the master URI to my current master. However, after doing this and restarting Splunk on the new host, do I actually to go into my old host and set the MC mode to standalone before restarting or will that automatically be done when I continue setting up Distributed mode on the new host? And finally, when do the clustered indexers get picked up as search peers in the MC, given I don't add them manually?
... View more
01-12-2024
04:20 AM
The thing is, we've had this existing setup for years and never had any issues. Therefore, I had hoped to do a like for like swap to the new host, to prevent any further complications of building out more machines and making sure all hosts can connect, etc. However, I appreciate the replies and will try and implement some of these recommendations at least.
... View more
01-08-2024
11:58 PM
Correct, this is what is listed in the Monitoring Console as having all these roles. Our setup is as follows: 2 sites 9 Search Heads, clustered (5 in 1 site, 4 in the other) 8 indexers, clustered (split evenly) 2 heavy forwarders (site 1 only) 1 cluster master I believe documentation mentions somewhere that in order to have a cluster master orchestrate clusters, it needs to take on the role of the cluster it's trying to orchestrate, ie search head or indexer. It doesn't actually fulfil those roles.
... View more
01-08-2024
07:47 AM
I need to migrate our cluster master to a new machine. It currently has these roles: Cluster Master Deployment Server Indexer License Master Search Head SHC Deployer I already migrated the License master role to the new server and it's working fine. I've been trying to follow the documentation here: https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Handlemanagernodefailure From what I gather, I need to copy all the files in /opt/splunk/etc/deployment-apps, /opt/splunk/etc/shcluster and /opt/splunk/etc/master-apps, plus anything that's in /opt/splunk/etc/system/local. Then add the passwords in plain text to the server.conf in the local folder, restart Splunk on the new host and point all peers and search heads to the new master in their respective local server.conf files. Is there anything else that needs done or would this take care of switching the cluster master entirely? And is there a specific order in which to do things?
... View more
Labels
