Re: Cluster question

dolejh76 · ‎03-14-2017

We have a server in Omaha and a server in Jacksonville.

Currently all items are forwarded to Omaha so when I log into Omaha I can see Omaha and Jacksonville. When I log into Jacksonville I cant see anything.

How do I set it so that in Jacksonville I can see Jacksonville. I don't want to replicate all Omaha indexes to Jacksonville, but I would like to be able to see Jacksonville when logged into Jacksonville.

Thanks
John

esix_splunk · ‎03-14-2017

Sounds to me like you are not indexing in Jacksonville, you are just forwarding events.

You either need to index and forward events from Jacksonville, or you need setup distributed search from the Jacksonville instance(s).

Read this : https://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/Configuredistributedsearch

What you want to do is add the Omaha indexer as a peer to Jacksonville. Be aware there are some bandwidth and latency issues to be considerate of...

dolejh76 · ‎03-15-2017

Ill take a look - thanks

somesoni2 · ‎03-14-2017

Does your search head has both Omaha and Jacksonville indexers added as Search Peer?

dolejh76 · ‎03-14-2017

Logged into Omaha - I see Jax as a Peer, and Omaha as a search head.

somesoni2 · ‎03-14-2017

What you do see in Jacksonville? Do you see Omaha as Peer?

dolejh76 · ‎03-14-2017

If I log into Jax - I just see - Clustering: Peer Node and Jax.

mrgibbon · ‎03-14-2017

Sounds like you need to add Omaha as a search peer on the Jax machine.

Cluster question

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases