I followed the steps in distributed deployment manual and selected automatic selection.
But on other search peer i am not getting
Specify "Yes" for the option: "Broadcast to other Splunk servers?"
Also in manual adding of search peers, what to enter in peer box ?
I entered the xxx.xxx.x.xxx:8000 (ip address) and the credentials of the peer computer but it gives error.
Can anyone help ? How to do distributed search ?
That setting is located under "Manager >> Distributed Search >> Distributed search setup", you only need that setting enabled if you have not configured search peers manually (ref).
When adding a new "Search peer" manually (i.e. "Manager >> Distributed Search"), you need to add your host with the management port, which defaults to 8089 (unless changed by you), e.g.
192.168.0.4:8089
OR
foo.mynetwork:8089
You will then need to use credentials from that remote peer.
Hope this helps
That setting is located under "Manager >> Distributed Search >> Distributed search setup", you only need that setting enabled if you have not configured search peers manually (ref).
When adding a new "Search peer" manually (i.e. "Manager >> Distributed Search"), you need to add your host with the management port, which defaults to 8089 (unless changed by you), e.g.
192.168.0.4:8089
OR
foo.mynetwork:8089
You will then need to use credentials from that remote peer.
Hope this helps
I am trying to setup distributed search by adding search peers and following mannual ohh i would say its not actually a mannual i think author wrote up topics and jumping from one to other without proper steps for deployment.practical steps would have been very useful.
Iam looking for documention to setup distributed search with 1 dedicated search head with 3 or more peers attached.
Search head has been configured perfect with local indexer which parses and search data ..good. (First login user has admin preveilage say admin/admin as credentials.)
Distributed search set up:
Distributed search» Distributed search setup»Turn on distributed search? YES and SAVE then restart splunk instance.
Adding a new "Search peer" manually
(i.e. "Settings>> Distributed Search -> Search Peers -> Add New").
Enter host:8089(unchanged mgmnt ports),
remote username : root
remote password: xxxx confirm passwd:xxxx you would see the following error.
"Encountered the following error while trying to save: In handler 'distsearch-peer': Error while sending public key to search peer: Cannot resolve hostname"
My Questions:
Ha! - always a firewall that is overlooked, especially host-based firewalls! Happy I could help!!
I got my problem solved. Turn off the firewall and follow steps of MHibbin answer. Thank you MHibbin
Firstly, have you checked that the remote Splunk instance that you are trying to connect to is running?
Secondly, are you using an account that has admin level privileges on the remote peer (i.e. the server you are trying to connect to). This is all in the context of Splunk, so if you have configured users locally through Splunk, they will need to be added to the "admin" role. If they have been configured using ldap (or whatever else), then this role configuration will still be applied when you configure the authorisation.
Thanks for reply MHibbin,
I did Manager >> Distributed Search >> Search peers >> Add new >
xxx.xxx.x.xxx:8089
username and password i tried first the splunk web username and password of the peer and later also tried the windows log in username and password.
I am getting this error below
Encountered the following error while trying to save: Splunkd daemon is not responding: ('The read operation timed out',)
What to do now ?