Deployment Architecture

distsearch.conf documentation confusion

omeniasty
New Member

Hello Guys,

I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs.

Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one.

Splunk/8.1.2/DistSearch/Configuredistributedsearch - here states:

"Add the search peers

To connect the search peers:

1. On the search head, create or edit a distsearch.conf file in $SPLUNK_HOME/etc/system/local.

2. Add the search peers to the servers setting under the [distributedSearch] stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example:

[distributedSearch]
servers = https://192.168.1.1:8089,https://192.168.1.2:8089

Note: You must precede the host name or IP address with the URI scheme, either "http" or "https"."

 

Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states:

"You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

[distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

[distributedSearch:NYC]
# This stanza lists the set of search peers in New York.
default = false
servers = 192.168.1.1:8089, 192.168.1.2:8089

[distributedSearch:SF]
# This stanza lists the set of search peers in San Francisco.
default = false
servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

 

In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here.

 

Thanks in advance 

Labels (3)
0 Karma

omeniasty
New Member

Just worth adding that documentation for "adding search peers" through CLI, Splunk Web says that http/https is required.

Even Splunk Web console when states this info "Specify the search peer as servername:mgmt_port or URI:mgmt_port. You must prefix the URI with its scheme. For example: 'https://sp1.example.com:8089'."

Does it mean that both versions are acceptable or Splunk/8.1.2/DistSearch/Distributedsearchgroups page is wrong?

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...