Deployment Architecture

about adding indexers and search header questions.

xsstest
Communicator

1、"Index" is my master node, why does it appear on my search head list? I try to type "splunk remove shcluster-member" on the index master node, it prompts the following information:

alt text

2、My original index cluster has three indexers. The set replication factor is: 3. The search factor is 2. Now I have added an indexer to the index cluster. Question: Why does the new indexer's default index have data, and other custom indexes do not have data? Should my copy factor be changed to "4"?

alt text

Tags (2)
0 Karma
1 Solution

adonio
Ultra Champion

hello xsstest,
first question,
the Cluster Master (here the Splunk instance names index) is always a Search Peer for the Indexer Cluster
i am aware the terminology of Splunk can be sometimes confusing, but its important to understand the terms of different Clusters
Indexer Cluster - Search Peer = an instance that searches that particular cluster (can be many Search peers and they dont have to be clustered themselves)
Search head Cluster - Search Head Members, are search heads that are part of the Search Head Cluster
Your Cluster Master (index) is not a part of a Search Head Cluster, on a side note, i dont know if you have a search head cluster. and therefore the command you execute will not affect it.
the screen you are looking at is the Cluster Master view and it shows all the Search Peers regardless.
as for your second question,
did you verify all indexes configuration were replicated to the new indexer?
did you set repFactor = auto ?
did you set forwarders outputs to reflect new Indexer or you use the Indexer discovery function?
hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

hello xsstest,
first question,
the Cluster Master (here the Splunk instance names index) is always a Search Peer for the Indexer Cluster
i am aware the terminology of Splunk can be sometimes confusing, but its important to understand the terms of different Clusters
Indexer Cluster - Search Peer = an instance that searches that particular cluster (can be many Search peers and they dont have to be clustered themselves)
Search head Cluster - Search Head Members, are search heads that are part of the Search Head Cluster
Your Cluster Master (index) is not a part of a Search Head Cluster, on a side note, i dont know if you have a search head cluster. and therefore the command you execute will not affect it.
the screen you are looking at is the Cluster Master view and it shows all the Search Peers regardless.
as for your second question,
did you verify all indexes configuration were replicated to the new indexer?
did you set repFactor = auto ?
did you set forwarders outputs to reflect new Indexer or you use the Indexer discovery function?
hope it helps

0 Karma

xsstest
Communicator

first question,
I do have a search head cluster.

Second question:

repFactor = auto on /opt/splunk/etc/slave-apps/_cluster/deafult/indexes.conf file ?

and my forwarders outputs configuration is as follows

vim /opt/splunkforwarder/etc/apps/search/default/outputs.conf

[indexer_discovery:master1]
pass4SymmKey = xxxxxxx
master_uri = https://mster node IP:8089

[tcpout:group1]
autoLBFrequency = 30
forceTimebasedAutoLB = true
indexerDiscovery = master1
useACK = true

[tcpout]
defaultGroup = group1

0 Karma

xsstest
Communicator

How do I use the Indexer discovery function

0 Karma

adonio
Ultra Champion

looks like you are using the indexer discovery function.
your outputs looks ok as well
the outputs location looks odd, it is under the app search and the default directory.
not the best place to be
regarding repFactor, yes
this is from docs:

   repFactor = 0|auto
    * Valid only for indexer cluster peer nodes.
    * Determines whether an index gets replicated.
    * Value of 0 turns off replication for this index.
    * Value of "auto" turns on replication for this index.
    * This attribute must be set to the same value on all peer nodes.
    * Defaults to 0.

if it sums it up, kindly mark question as answered

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...