Hello Guys, I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs. Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one. Splunk/8.1.2/DistSearch/Configuredistributedsearch - here states: "Add the search peers To connect the search peers: 1. On the search head, create or edit a distsearch.conf file in $SPLUNK_HOME/etc/system/local. 2. Add the search peers to the servers setting under the [distributedSearch] stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example: [distributedSearch]
servers = https://192.168.1.1:8089,https://192.168.1.2:8089 Note: You must precede the host name or IP address with the URI scheme, either "http" or "https"." Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states: "You define distributed search groups in distsearch.conf. For example, to create the two search groups NYC and SF, create stanzas like these: You define distributed search groups in distsearch.conf. For example, to create the two search groups NYC and SF, create stanzas like these: [distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089
[distributedSearch:NYC]
# This stanza lists the set of search peers in New York.
default = false
servers = 192.168.1.1:8089, 192.168.1.2:8089
[distributedSearch:SF]
# This stanza lists the set of search peers in San Francisco.
default = false
servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089 In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here. Thanks in advance
... View more