Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join Splunk Enterprise Stand-Alone SH to Indexer Cluster

JohnEGones
Path Finder
2 weeks ago

Hi Fellow Splunkers,

Perhaps I can get some different perspective, I am setting up a new standalone SH to be joined to an existing indexer cluster, but I seem to be running into an issue where when I try to point this server to the idx cluster, specifying the idx CM as the manager [manager_uri], I get an error where the SH will not be joined as a SH node.

I am referencing the DOCS here: Enable the search head - Splunk Documentation

I also note that there is an existing SH cluster that is joined to the indexer cluster.

When I edit the server.conf I get an error that the SH cannot connect to the manager node, even though I have verified and double-checked the stanzas and key values. 

From what I have described, what might be the issue?

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JohnEGones
Path Finder
a week ago

So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else:

"You should be able to fix that problem and join the cluster by updating your server.conf as follows."

 

[general]
site = site1


[clustering]
multisite = true
manager_uri = https://YourClusterManagerIP:8089
mode = searchhead
pass4SymmKey = ClearText

 

"To configure a search head in a multisite cluster, you set a site attribute in the [general] stanza and a multisite attribute in the [clustering] stanza. All other configuration settings are identical to a search head in a single-site cluster.

Be sure to use the clear text pass4symmkey again and restart the splunk service."

View solution in original post

0 Karma
Reply
Solved! Jump to solution

JohnEGones
Path Finder
a week ago

Hi guys,

Thanks for responding, and apologies for the long delay.

There is an error for one of the multisite variables not being configured properly and then a bunch of subsequent errors that the server cannot reach to the CM.

I will also add that this is a HA multisite config and idk how this impacts how the needed cluster stanza variables that need to be configured.

0 Karma
Reply
Solved! Jump to solution
Solution

JohnEGones
Path Finder
a week ago

So I got a resolution elsewhere, and I want to close this post out with a resolution so it is help to anyone else:

"You should be able to fix that problem and join the cluster by updating your server.conf as follows."

 

[general]
site = site1


[clustering]
multisite = true
manager_uri = https://YourClusterManagerIP:8089
mode = searchhead
pass4SymmKey = ClearText

 

"To configure a search head in a multisite cluster, you set a site attribute in the [general] stanza and a multisite attribute in the [clustering] stanza. All other configuration settings are identical to a search head in a single-site cluster.

Be sure to use the clear text pass4symmkey again and restart the splunk service."

0 Karma
Reply
Solved! Jump to solution

marnall
Builder
2 weeks ago

Unfortunately this error does not give any reason _why_ the search head cannot connect to the manager node. If the stanza is exactly correct between the working search head and the non-working search head, then it could be a network connectivity issue or a firewall issue rather than a splunk issue.

Do you see any errors in the _internal logs that may describe the reason why the search head was failing to connect?

Reply
Solved! Jump to solution

kiran_panchavat
Communicator
2 weeks ago

@JohnEGones 

Here you go, https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Configuresearchheadwithserverconf

Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...