Solved: How can I find whether an environment is clustered...

nishwanth · ‎07-26-2016

I have 4 servers in which 2 are clustered and are used as search heads, a 3rd one is Splunk Enterprise Security, and the 4th server is search head pooling. These are connected to indexers. I want to know how to find whether the environment is clustered or distributed. If it is distributed, then how should I add new index to it and pull logs into that index?

Thanks,
Nishwanth

martin_mueller · ‎07-26-2016

To find out if a search head is running in a search head cluster, run this on the search head:

$SPLUNK_HOME/bin/splunk show shcluster-status

To find out if a search head is running in a search head pool, run this on the search head:

$SPLUNK_HOME/bin/splunk pooling display

To find out if an indexer is running in an indexer cluster, run this on the indexer:

$SPLUNK_HOME/bin/splunk show cluster-status

To define indexes in an indexer cluster, check out the docs at http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Configurethepeerindexes

To pull in logs, one of the good ways is forwarding - check out the docs at http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Aboutforwardingandreceivingdata

If you have inherited a complex legacy Splunk environment with little documentation and not a lot of experience, consider getting a local partner or Splunk professional services to help you bring things back to proper health.

View solution in original post

martin_mueller · ‎07-26-2016

To find out if a search head is running in a search head cluster, run this on the search head:

$SPLUNK_HOME/bin/splunk show shcluster-status

To find out if a search head is running in a search head pool, run this on the search head:

$SPLUNK_HOME/bin/splunk pooling display

To find out if an indexer is running in an indexer cluster, run this on the indexer:

$SPLUNK_HOME/bin/splunk show cluster-status

To define indexes in an indexer cluster, check out the docs at http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Configurethepeerindexes

To pull in logs, one of the good ways is forwarding - check out the docs at http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Aboutforwardingandreceivingdata

If you have inherited a complex legacy Splunk environment with little documentation and not a lot of experience, consider getting a local partner or Splunk professional services to help you bring things back to proper health.

ppanchal · ‎10-12-2016

What should be the ideal output of the below command if the indexers are not running in clustered mode?

$SPLUNK_HOME/bin/splunk show cluster-status

martin_mueller · ‎08-02-2016

Do mark this answer as accepted if it solved your question.

martin_mueller · ‎07-28-2016

If your indexers are distributed but not clustered, you go back a few chapters in the manual I linked above: http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Aboutmanagingindexes

nishwanth · ‎08-02-2016

Thanks for your reply martin.

nishwanth · ‎07-26-2016

Thanks for your answer martin. If it is distributed how will I add new index to it.

How can I find whether an environment is clustered or distributed? If it is distributed, how can I add a new index to that?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...