Deployment Architecture

distsearch.conf documentation confusion

omeniasty
New Member

Hello Guys,

I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs.

Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one.

Splunk/8.1.2/DistSearch/Configuredistributedsearch - here states:

"Add the search peers

To connect the search peers:

1. On the search head, create or edit a distsearch.conf file in $SPLUNK_HOME/etc/system/local.

2. Add the search peers to the servers setting under the [distributedSearch] stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example:

[distributedSearch]
servers = https://192.168.1.1:8089,https://192.168.1.2:8089

Note: You must precede the host name or IP address with the URI scheme, either "http" or "https"."

 

Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states:

"You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

[distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

[distributedSearch:NYC]
# This stanza lists the set of search peers in New York.
default = false
servers = 192.168.1.1:8089, 192.168.1.2:8089

[distributedSearch:SF]
# This stanza lists the set of search peers in San Francisco.
default = false
servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

 

In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here.

 

Thanks in advance 

Labels (3)
0 Karma

omeniasty
New Member

Just worth adding that documentation for "adding search peers" through CLI, Splunk Web says that http/https is required.

Even Splunk Web console when states this info "Specify the search peer as servername:mgmt_port or URI:mgmt_port. You must prefix the URI with its scheme. For example: 'https://sp1.example.com:8089'."

Does it mean that both versions are acceptable or Splunk/8.1.2/DistSearch/Distributedsearchgroups page is wrong?

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...