All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to get resource utilization information for all clustered search heads from a single search head using the S.o.S add-on for Linux?

butzowj
Path Finder
‎01-07-2016 08:15 AM

Hi,

We are running S.o.S - Splunk on Splunk in a search head clustering environment. Is it possible to get the resource utilization information from all search heads to be searchable from a single search head using the S.o.S add-on for Linux? Right now, I have to log in to Splunk Web for each search head to get the data for that search head, (i.e. I have to log in to searchhead1:8000 to view info for searchhead1).

Thanks,
JB

0 Karma
Reply

msudhindra
Path Finder
‎01-07-2016 10:55 AM

Where does your search-head maintain its data , and is that location searchable from the other search heads ? Do you have an outputs.conf on your search-head that redirects the outputs to an indexer ?

The default behavior of Splunk is to maintain (index) data locally. So your search head in the cluster, is also an indexer for local data only. The issue you see is due to the fact that the search head you are logging into, does not have access to the data indexed on other search head nodes in the cluster.

In our case, we forward all data from a search head off to an indexer, where it is indexed, and maintained. These indexers are searchable from all the search head nodes in the cluster, and the above problem is avoided.

Thanks,
Madan

Reply

butzowj
Path Finder
‎01-07-2016 11:03 AM

HI Madan -

Thx for the response.

Our search heads write data locally right now, because we don't know how to configure it any other way. Ideally, we would write send this data to the index cluster to be indexed with the rest of our data. It sounds like we need to utilize an outputs.conf file to forward the locally indexed data to the index cluster.

Which outputs.conf file would we use, and would this have any other potential impacts to the system?

Thanks,
JB

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...