We are building the splunk clustered environment for dev environment. We have a License Master setup. We want the Monitoring console to be setup on the same License master instance. Please let me know what are the steps to be followed for that?
Thanks in advance.
I hope this could help you out.
Most Common Implementation and Deployment Framework
Install splunk enterprise on license master and configure license master Install splunk enterprise on indexers and configure indexers (alternatively for indexer cluster, install Splunk enterprise on cluster master and indexers and configure indexer cluster) Install splunk enterprise on search heads and configure search heads Install splunk enterprise on deployment server and configure deployment server Install splunk universal forwarder on input devices and configure universal forwarders to connect to deployment server and to forward to indexers Install Splunk enterprise on DMC monitoring console server and configure monitoring console (Optional) – Install Splunk enterprise on heavy forwarders and configure heavy forwarders
Install and Configure Splunk Indexer
Install Splunk Enterprise on Linux Server (If you need to create a Linux Server first, visit ___) Configure Splunk Instance to be an Indexer Connect Splunk Indexer to Splunk Search Head (Must Configure Search Headfirst, see instructions here) Peer Splunk Indexer to DMC (Monitoring Console) for monitoring
Search peers and ensure that ALL Splunk infrastructure nodes are peers. When you peer the
Cluster Master, the Indexers should peer in, but if not, add those, too.
Monitoring Console ->
General Setup and select
Distributed Mode then edit each peer to manually assign the correct roles. Click
Apply and then PROFIT!!!
@woodcock , but the monitoring console is to be shared with License master. The clustered indexers cannot be added.For monitoring an indexer cluster and you are hosting the monitoring console on an instance other than the cluster master, you must add the cluster master as a search peer and you must configure the monitoring console instance as a search-head in that cluster.
So, I believe in my case the License master needs to be added as a search head cluster as the DMC needs to be configured in this same instance.
So, Can the License master be added as a search head cluster?
You are mixing up concepts and terms. There is no such thing as a
management console so I have no idea what you mean there. A
License Master already IS a
Search Head, it just doesn't have any peers by default and you need to change that in order for it to also become the
Monitoring Console. I have done this many times. Just add the peers (either directly, or via the
Cluster Master) and run the setup.
I am sorry, just corrected the "management" to "monitoring". What I meant is that the clustered indexers cannot be added to the search peers directly in the splunk instance web where monioring console needs to be setup. The cluster master needs to be added as a search peer in the monitoring console. Please correct me if I am wrong here.
@woodcock Thanks for the response 🙂 I have added the instances individually and can see the data for those instances in Monitoring Console now. I will be greatful If you could give an insight on the below doubts as well.
What server roles needs to assigned to each instance. The KV roles are to be set only for the search head?
While Applying Changes I got an error message for one of the search heads that said "Atleast one of the instance is not forwarding its internal logs". But I do see the data and graphs for the servers in the Monitoring Console.
Search Heads should get
Search Head and
KV Store, everything else should be obvious. You probably have
Search Heads that do not have
outputs.conf to send their logs to the
Indexers which is the warning and you should fix that. Yes, EVERY node should be added as a search peer. Even your
Heavy Forwarders which should be set as
The process is the same no matter where you install the MC. See https://docs.splunk.com/Documentation/Splunk/8.0.0/DMC/Configureindistributedmode for the instructions.