Deployment Architecture

Help setting up a search head cluster?

bofa123
New Member

New to Splunk, can anyone help me build a SH Cluster? Any videos would be great, I tried reading the tutorials on Splunk but i'm still confused. I already have a practice environment setup.

http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/SHCdeploymentoverview

0 Karma

gcusello
Esteemed Legend

Hi bofa123,
I deployed a search Head Cluster following instructions on documentation at http://docs.splunk.com/Documentation/Splunk/6.6.3/DistSearch/AboutSHC
I found only a problem (not documented in docs but in answers), described above

Shortly:

Deployer Configuration

  • Search Head Cluster Label Configuration:
    • in etc/system/local/server.conf file insert [shclustering] stanza
    • In that stanza insert row shcluster_label = my_cluster_label
  • Deployer's security key configuration:
    • In etc/system/local/server.conf file, insert own password (not encrypted) in row “pass4SymmKey” of [general] or [shclustering] stanza, at first restart Splunk will encrypt it
  • Restart Splunk

Cluster Members Configuration

  • run command
    • splunk init shcluster-config -auth ‘admin:password’ -mgmt_uri https://server_address:8089 -replication_port 8079 -replication_factor 3 -conf_deploy_fetch_url https://deployer_address:8089 -shcluster_label shcluster1
    • BEWARE: don't set –secret=password parameter (it's described in documentation!) because don't run!
  • splunk restart
  • modify in /opt/splunk/etc/system/local/server.conf file row pass4SymmKey inserting secret password in clear
  • splunk restart

Captain Configuration

Adding Search Peers

  • Distributed Search Configuration
  • Add Peer 1
  • URI peer https://Indexer_1_IP:8089
  • Remote User Service_User_On_Indexer_1
  • Remore Password Service_User_On_Indexer_1 password
  • Confirm Password on so on

Thn copy your Apps on Deployer and deploy them using Deployer.
All following updates will be automatically deployed by Cluster.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...