All Apps and Add-ons

What is the correct installation and configuration for the Fire Brigade version 2 app and add-on in an indexer clustering environment?

transtrophe
Communicator

I am setting up Fire Brigade v 2.0.3 to monitor my splunk deployment (using index clustering with RF = 5 and SF = 3). The documentation for Fire Brigade provided a brief discussion for a few options in terms of deployment, but I am a little unclear still as to the recommended deployment when monitoring an indexer cluster. It seems like my options are as follows:

  1. Deploy Fire Brigade and the TA on the cluster master including making the master a search-head.
  2. Same as 1 including distributing the TA to all the index cluster peers doing a cluster-bundle apply.
  3. Deploy Fire Brigade and the TA on and across the search-head cluster.
  4. Deploy Fire Brigade and the TA on a stand-alone search-head
  5. Same as 4 including distributing the TA to all the index cluster peers doing a cluster-bundle apply.

I am also not really clear on configuring the monitored_indexes.csv. Firstly, I don't find anything so far in the Fire Brigade UI for configuring this csv. Secondly, looking on the stand-alone sh where I currently deployed FB and its TA doing a 'find /opt/splunk -name monitored_indexes*' as the root account returned no file. Same situation when looking for this file on the index cluster master (I uploaded the TA to the master in case it is recommended to apply the TA across the cluster).

1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Firebrigade-TA goes on the indexers, it can be deployed with 'master-apps' on the CM.

The app itself will go on a search head, doesn't need to be the CM.

As for monitored indexes, there is a saved search that runs every night in the early AM. It builds that list based on all the indexes that are replicating.

Install that, and wait. It will be populated within 24 hours, as I believe is noted in the docs.

View solution in original post

ppablo
Retired

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Firebrigade-TA goes on the indexers, it can be deployed with 'master-apps' on the CM.

The app itself will go on a search head, doesn't need to be the CM.

As for monitored indexes, there is a saved search that runs every night in the early AM. It builds that list based on all the indexes that are replicating.

Install that, and wait. It will be populated within 24 hours, as I believe is noted in the docs.

transtrophe
Communicator

Thanks esix_splunk - doing your recommended config now.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...