Deployment Architecture

Why is there a failure error when integrating splunk SH cluster with Indexing Cluster?

dannyard
New Member

We have 3 node indexer Cluster and have setup a 3 node Search Head(SH) cluster. We are trying to integrate the SH cluster with the index cluster. I'm running the following command:
./splunk edit cluster-config -mode searchhead -master_uri https://master:8089 -secret

I run this on each SH cluster member and they all give the following response:
Could not contact master. Check that the master is up, the master_uri=https://master:8089 and secret are specified correctly

I've confirmed that everything is correct. I tested with curl and telnet to make sure the master could be reached on 8089 from each SH. The search head cluster is up and running as is the indexer cluster. I've attempted to change master to fqdn and IP address.

Does anyone have any other suggestions? This seems like such an easy fix but it's been driving me crazy for 2 days.

0 Karma

deepashri_123
Motivator

Hey dannyard,

In your command after secret the secretkey also has to be added.
./splunk edit cluster-config -mode searchhead -master_uri https://master:8089 -secret secretkey

You can refer the doc below:
http://docs.splunk.com/Documentation/Splunk/7.0.2/DistSearch/SHCdeploymentoverview

Let me know if this works!!

0 Karma

dannyard
New Member

Sorry, yes - I accidentally left that of my post but I am adding the password after secret

As an update, I went into server.conf on each SH cluster member and changed mode=disabled to mode=searchhead. I imagine that is what the command is supposed to do but it didn't work

After doing so I was able to get the SH cluster integrated with the indexer cluster. I went back to run that command and this time it was successful, or so it said. Of course all was working so not sure if it actually did anything, but at least the command execution didn't error out. Wonder if others have had issues with this command

0 Karma

dannyard
New Member

I found a post online from someone that submitted their server.conf. I noticed on our searchheads, each server.conf file had mode=disabled whereas the poster had mode=searchhead. I changed that on each of my searchheads and now I am able to query the index cluster, but I'm not getting the same amount of data the stand alone search head sees (It's looking at the same indexer cluster)

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...