Splunk Search

Deploy search head cluster

siemteam
Explorer

Hello,

I'm deploying a search head cluster and I have a doubt about the steps described on the following link:

https://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/SHCdeploymentoverview

I understand that server.conf file is the file that you can find on /opt/splunk/etc/system/default folder, it's ok?

On this file I can see too the configuration line "disabled=true" but documentation don't specify as necesary modify this flag, it's ok or should I change to false?

Thanks

Tags (1)
0 Karma

dkeck
Influencer

HI,

you do not want to change server.conf in /opt/splunk/etc/system/default. If you want to change config in server.conf than create a new server.conf in /opt/splunk/etc/system/local and change only the stanzas that are neccessary. Do not copy the whole default/sever.conf content.

Kind Regards

0 Karma

siemteam
Explorer

Thanks for your answer.

And what about "dissabled=true"?

0 Karma

dkeck
Influencer

just follow the steps in the manual that you liked and you should be fine

Depends where in server.conf this was set, but if it was set in default server.conf could have its right to be there, If the manual it not teling you to change this, then dont.

0 Karma

dkeck
Influencer

Did this work for you ?

if it helped please accept the question 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...