In ths blog we will be be creating cluster configuration in splunk. Let’s build a Cluster.
• We should not create cluster with 2 nodes because of the following reasons:
If you have two regular nodes, you are in a dilemma. A quorum would be 2, but this means a loss of one node will make your cluster inoperable. A setting of 1 will allow your cluster to function, but doesn’t protect against split brain. It is best to have a minimum of three nodes in situations like this.
We have an architecture below to build a cluster. This would how it will look like.To create a cluster the minimum number of nodes should be 3 for elasticsearch.
So there are total 5 servers.
1) Filebeat
2) Logstash/Elasticsearch
3) Logstash/Elasticsearch
4) Logstash/Elasticsearch
5) Kibana
We can’t create a cluster for logstash and filebeat and even Kibana. But for Kibana the issue has been raised in github for clustering kibana.
I have attached few screenshots of elasticsearch.yml file which is located at elasticsearch-6.5.4/config directory.
1) Provide a name for the cluster.
2) Provide a name for your node(Optional)
Under Networks:
1) Provide the network host (IP address)
2) Provide the Port no. on which you want to run elasticsearch(by default it is 9200)
Under Discovery:
1) Provide the list of nodes which will be in cluster (here I have 3 servers(If you have more than the
3, you can very well write those IP’s too)).
2) Provide the minimum master node: (for me it will be 2 , As I have only three servers)
This setting helps prevent split brains, the existence of two masters in a single cluster. If you have two masters, data integrity becomes perilous, since you have two nodes that think they are in charge.
3) Formulae=(no of master eligible nodes/2) +1= (3/2)+1= 2
Types of node in Elasticsearch and their responsibilities:
• Data nodes — stores data and executes data-related operations such as search and aggregation.
• Master nodes — in charge of cluster-wide management and configuration actions such as adding and removing nodes.
• Client nodes — forwards cluster requests to the master node and data-related requests to data nodes.
• Ingest nodes — for pre-processing documents before indexing.
So here we will make node1 as master eligible and node2 and node3 as data node.
#define node 1 as master-eligible:
node.master: true
#define nodes 2 and 3 as data nodes:
node.data: true
SAVE and EXIT
You are now ready to start your Elasticsearch nodes and verify they are communicating with each other as a cluster.
Run the following command under path: elasticsearch/bin/
./elasticsearch
If everything was configured correctly, your Elasticsearch cluster should be up and running. To verify everything is working as expected, query Elasticsearch from any of the cluster nodes:
curl -XGET ‘http://IP_address:9200/_cluster/state?pretty’
OR run the below link in your browser
http://IP_address:9200/_cluster/state?pretty
Here, the cluster name will be displayed along with list of connected nodes.
If you are still facing issue regarding cluster configuration in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks.
