Search Head Deployer in a SH Cluster: What happens to local?
I have been doing a few tests on how configurations are pushed when applying a shcluster bundle. However, I would like to find some definitive answers if at all possible. On the deployer in...
View ArticleWhen adding an indexer to a distributed environment, is there a configuration...
Is there a configuration that makes indexers exchange events in order to auto load balance them? Let's say I add an indexer into distributed environment. I want to use it without reconfiguring syslog...
View ArticleWhere to install and configure the Splunk Add-on for Bro IDS in an indexer...
So after spending a lot of time googling this issue, finally I get some mixed comments. Hence thought of asking the question here to get the clarification on the issue. Starting with the environment, I...
View ArticleWhy is the Splunk Add-on for Citrix NetScaler not parsing syslog data...
Hi, I have a distributed environment of Splunk running 6.3, I have a search head, cluster master, indexer & heavy forwarder. I have syslog data coming from netscalers on the heavy forwarder where I...
View ArticleSplunk Distributed Peer error on 6.2.6 a week after extending the certs
Posting a question after an year, so bear with me. We're on Splunk 6.2.6 and recently 2 weeks back updated the default Splunk certs using the script provided by Splunk. This was done in 3 environments....
View ArticleHow can I find whether an environment is clustered or distributed? If it is...
I have 4 servers in which 2 are clustered and are used as search heads, a 3rd one is Splunk Enterprise Security, and the 4th server is search head pooling. These are connected to indexers. I want to...
View ArticleDistributed search groups not actually filtering searches
We are using distributed search groups ( http://docs.splunk.com/Documentation/Splunk/6.4.2/DistSearch/Distributedsearchgroups ). We have 2 sets of indexers: index group A and index group b. We have a...
View ArticleWhy is one indexer faster at search than the other two - troubleshooting...
I have three indexers. All configured the same all with the same hardware (16 cores 32 GB ram). I have a simple search for internal data ` index=_internal host=My-License-Manager...
View Articlewhere do you install Python for Scientific Computing (for Linux 64-bit) in a...
Where does the Python for Scientific Computing SA get installed in a distributed environment? Indexers? Search Heads? Both?
View ArticleWhat is the difference between Cluster master and License master in a...
What is the difference between Cluster master and License master in a distributed Environment? Any major differences and detailed explanation of both would be great.
View ArticleSSO with SAML in distributed environment : Why is data retrieved and seen in...
Hello, We are in a distributed configuration. We want to add SSO to Splunk Active Directory Federation Services (ADFS). We have only configured SSO with ADFS on the search head. For the authentication...
View ArticleWhy does my search peer come up as an error on my search head?
I've added a search head as a search peer and it's come up as "sick" with the following error. Can't seem to find any reference to it here. Error [00800000] Failed 11 out of 11 times. Servername used...
View ArticleCan we set the ttl for knowledge bundles on indexers?
We have a version 6.3.4 search head cluster and indexers, in a distributed search environment. Noticing that the searchpeers directory has the bundle along with the deltas. Can we set a time to live...
View ArticleSearch Head X running splunk version '6.4.0' does not support distributing...
What are the reasons which can cause this error in non clustered indexes ? As both the major and minor versions are the same between the SH and indexer (only the maintenance one is lower on the SH),...
View ArticleBefore planning to deploy a Distributed Search environment, is there a...
I am planning to deploy a Splunk Distributed Search Architecture in a mixed environment of 500 servers mostly Windows and some Red Hat Enterprise (RHEL) Linux 7. Splunk hosts will be RHEL 7.2 I will...
View ArticleHow to get existing KV Store to initialize after replacing one of the three...
Splunkers, Having trouble getting the kvstore to indicate that it is ready on any of the three members of the shcluster running Splunk 6.4.0 on CentOS 6.7. There are 5 existing KV Stores and none of...
View ArticleSplunk Enterprise Security: Is it possible to implement multi-tenancy in a...
Hello everybody. I deployed a Splunk Enterprise Security in a distributed environment for our customer. He also has many customers and he doesn't want to see all the logs together. I've heard ES does...
View ArticleWhy am I getting duplicate results after adding indexer cluster to...
I am testing our new indexer cluster using our existing search head. I added the indexer cluster servers to "dist_search" and created an indexer group so I can search just the cluster. However, all of...
View ArticleHow to create an alert to trigger if one of the indexers is not reachable in...
Hi, I have 1 search head and 3 indexers where one of them is working as a license node. I've had a situation where one of them lost connection (service was down). How do I create an alert for the...
View ArticleHow to edit my props.conf for proper event line breaking based on my sample...
Ok, I give. I can't seem to figure out why this is failing... This is the log: (Suitably neutered) 2016-11-03 13:34:00,654 [10] INFO XXXXXXX_YYY.XXXXXXX - Script Name Input: 2016-11-03 13:34:00,716...
View Article