All Apps and Add-ons

What is the correct installation and configuration for the Fire Brigade version 2 app and add-on in an indexer clustering environment?

transtrophe
Communicator

I am setting up Fire Brigade v 2.0.3 to monitor my splunk deployment (using index clustering with RF = 5 and SF = 3). The documentation for Fire Brigade provided a brief discussion for a few options in terms of deployment, but I am a little unclear still as to the recommended deployment when monitoring an indexer cluster. It seems like my options are as follows:

  1. Deploy Fire Brigade and the TA on the cluster master including making the master a search-head.
  2. Same as 1 including distributing the TA to all the index cluster peers doing a cluster-bundle apply.
  3. Deploy Fire Brigade and the TA on and across the search-head cluster.
  4. Deploy Fire Brigade and the TA on a stand-alone search-head
  5. Same as 4 including distributing the TA to all the index cluster peers doing a cluster-bundle apply.

I am also not really clear on configuring the monitored_indexes.csv. Firstly, I don't find anything so far in the Fire Brigade UI for configuring this csv. Secondly, looking on the stand-alone sh where I currently deployed FB and its TA doing a 'find /opt/splunk -name monitored_indexes*' as the root account returned no file. Same situation when looking for this file on the index cluster master (I uploaded the TA to the master in case it is recommended to apply the TA across the cluster).

1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Firebrigade-TA goes on the indexers, it can be deployed with 'master-apps' on the CM.

The app itself will go on a search head, doesn't need to be the CM.

As for monitored indexes, there is a saved search that runs every night in the early AM. It builds that list based on all the indexes that are replicating.

Install that, and wait. It will be populated within 24 hours, as I believe is noted in the docs.

View solution in original post

ppablo
Retired

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Firebrigade-TA goes on the indexers, it can be deployed with 'master-apps' on the CM.

The app itself will go on a search head, doesn't need to be the CM.

As for monitored indexes, there is a saved search that runs every night in the early AM. It builds that list based on all the indexes that are replicating.

Install that, and wait. It will be populated within 24 hours, as I believe is noted in the docs.

transtrophe
Communicator

Thanks esix_splunk - doing your recommended config now.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...