- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Can I specify a dedicated network for cluster ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
In a clustered environment, network for replication needs to be fast.
I have multiple network interfaces in a peer server and I want to tell Splunk to use a specific interface for data replication.
Has anyone here done this?
Thank you very much in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've asked a similar question before for a multi-tenant environment and I think the same solution should work. This option in server.conf on the peer should do the trick:
register_replication_address = <IP address, or fully qualified machine/domain name>
* Only valid for mode=slave
* This is the address on which a slave will be available for accepting
replication data. This is useful in the cases where a slave host machine
has multiple interfaces and only one of them can be reached by another
splunkd instance
Documentation: server.conf
Hope this helps, good luck!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you will likely want to configure "register_forwarder_address" and "register_search_address" as well. I've heard of situations where a cluster was attempting to use the interface identified by the "register_replication_address" to also perform searches and receive ingest. It is probably best that if you configure one of these stanzas that you do the other two as well.
register_forwarder_address =
* Only valid for mode=slave
* This is the address on which a slave will be available for accepting
data from forwarder.This is useful in the cases where a splunk host
machine has multiple interfaces and only one of them can be reached by
another splunkd instance.
register_search_address =
* Only valid for mode=slave
* This is the address on which a slave will be available as search head.
This is useful in the cases where a splunk host machine has multiple
interfaces and only one of them can be reached by another splunkd
instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've asked a similar question before for a multi-tenant environment and I think the same solution should work. This option in server.conf on the peer should do the trick:
register_replication_address = <IP address, or fully qualified machine/domain name>
* Only valid for mode=slave
* This is the address on which a slave will be available for accepting
replication data. This is useful in the cases where a slave host machine
has multiple interfaces and only one of them can be reached by another
splunkd instance
Documentation: server.conf
Hope this helps, good luck!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the information!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is is an old answer but have you tried this out? I am getting "invalid hostname" when trying to use register_replication_address..and yes the peer and CM can reach each other and even resolve. Also im using IP for testing.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
