Can anyone provide the steps to get an index cluster set up?
Splunk Docs seems to jump around a lot and not provide an instructional set up.
From what I gather, and what I have done is:
Build out 3 Splunk servers
Set up the first Splunk server as my master, setting my RF as 2, and my SF as 2.
Set up Splunk box 2 and 3 as peers.
When viewing on my master, the "index clustering" page in the interface, i see that I have green checks, and that I have 2 peers searchable, and 3 indexes searchable (_audit, _telemetry, and _internal.
I think this is the correct way.
I have a couple of questions:
How do I go about adding another index to be searchable, such as If I wanted to monitor /var/log/messages?
Should my Universal Forwarder on Linux be pointing towards the master node, or does it point to my 2 peer nodes?
Do I have to go to each Splunk server, navigate to "Settings > Indexes", and create my "messages" index on each one?
Thanks!
... View more