Deployment Architecture

How to set up distributed search in splunk ?

sumanth_isac
Path Finder

I followed the steps in distributed deployment manual and selected automatic selection.
But on other search peer i am not getting
Specify "Yes" for the option: "Broadcast to other Splunk servers?"

Also in manual adding of search peers, what to enter in peer box ?
I entered the xxx.xxx.x.xxx:8000 (ip address) and the credentials of the peer computer but it gives error.
Can anyone help ? How to do distributed search ?

Tags (1)
0 Karma
1 Solution

MHibbin
Influencer

That setting is located under "Manager >> Distributed Search >> Distributed search setup", you only need that setting enabled if you have not configured search peers manually (ref).

When adding a new "Search peer" manually (i.e. "Manager >> Distributed Search"), you need to add your host with the management port, which defaults to 8089 (unless changed by you), e.g.

192.168.0.4:8089

OR

foo.mynetwork:8089

You will then need to use credentials from that remote peer.

Hope this helps

View solution in original post

MHibbin
Influencer

That setting is located under "Manager >> Distributed Search >> Distributed search setup", you only need that setting enabled if you have not configured search peers manually (ref).

When adding a new "Search peer" manually (i.e. "Manager >> Distributed Search"), you need to add your host with the management port, which defaults to 8089 (unless changed by you), e.g.

192.168.0.4:8089

OR

foo.mynetwork:8089

You will then need to use credentials from that remote peer.

Hope this helps

neelakanta
Explorer

I am trying to setup distributed search by adding search peers and following mannual ohh i would say its not actually a mannual i think author wrote up topics and jumping from one to other without proper steps for deployment.practical steps would have been very useful.

Iam looking for documention to setup distributed search with 1 dedicated search head with 3 or more peers attached.

Search head has been configured perfect with local indexer which parses and search data ..good. (First login user has admin preveilage say admin/admin as credentials.)

Distributed search set up:
Distributed search» Distributed search setup»Turn on distributed search? YES and SAVE then restart splunk instance.

Adding a new "Search peer" manually
(i.e. "Settings>> Distributed Search -> Search Peers -> Add New").
Enter host:8089(unchanged mgmnt ports),
remote username : root
remote password: xxxx confirm passwd:xxxx you would see the following error.

"Encountered the following error while trying to save: In handler 'distsearch-peer': Error while sending public key to search peer: Cannot resolve hostname"

My Questions:

  1. Am i supposed to install splunk on peer hosts as well?
  2. Peers are nothing but local indexers to my dedicated search head ?
  3. How do i use peer mounted space as an indexer?
  4. To my four peers how do i distribute equal amount of data for distributed search functionality (e.g want to use 1TB data and would like all indexers perform load balanced)

MHibbin
Influencer

Ha! - always a firewall that is overlooked, especially host-based firewalls! Happy I could help!!

0 Karma

sumanth_isac
Path Finder

I got my problem solved. Turn off the firewall and follow steps of MHibbin answer. Thank you MHibbin

0 Karma

MHibbin
Influencer

Firstly, have you checked that the remote Splunk instance that you are trying to connect to is running?

Secondly, are you using an account that has admin level privileges on the remote peer (i.e. the server you are trying to connect to). This is all in the context of Splunk, so if you have configured users locally through Splunk, they will need to be added to the "admin" role. If they have been configured using ldap (or whatever else), then this role configuration will still be applied when you configure the authorisation.

0 Karma

sumanth_isac
Path Finder

Thanks for reply MHibbin,
I did Manager >> Distributed Search >> Search peers >> Add new >

xxx.xxx.x.xxx:8089

username and password i tried first the splunk web username and password of the peer and later also tried the windows log in username and password.
I am getting this error below

Encountered the following error while trying to save: Splunkd daemon is not responding: ('The read operation timed out',)
What to do now ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...