Indexer clusters are groups of Splunk Enterprise indexers configured to replicate each other’s data, so that the system keeps multiple copies of all data. In this blog we will be implementing index clustering in splunk.
Architecture Diagram :-
To Enable Clustering :-
1. First go to the Indexer Master’s settings and click on indexer clustering
2. Click On Enable Clustering >> select the type of Node. In cluster One Indexer will be Master Node and Other will be Peer node.
3. At the time of master Node Configuration on Indexer Master this type of settings we have to do.
4. The security key must be unique across the cluster.
5. Cluster label can be any.
6. At the time of indexer’s Configuration. Go to settings >> indexer clustering >> select peer node.
7. Here we have to enter master Node URI .
8. Peer Replication Port will be 8080. and Security key will same as in master Node.
To Make Instances Secured (https):-
1. To make all the Instances Secured just go to settings >> server settings
2. Click on General settings.
3. In general settings >> select Yes option for enabling ssl in splunk web.
To add Search Head in Clustering :-
1. Now to add a search Head in cluster go to setting >> Indexer Clustering >> select the Node as search Head Node.
2. It will ask for master Node URI and Enter Secrity Key same Which is Used at The time of master node configuration.
3. After that go to settings >> Distributed search
4. Click on + Add new.
5. Here add the Indexer URI and username and password for it.
6. Do this for the entire indexer’s (Peer nodes) we have.
To Enable Receiving Port of Indexers :-
1. First Enable the listening port on all the indexers which we are added in cluster. For that go to settings >> Forwarding and receiving
2. Select add new.
3. Add the listening port 9997 and save it.
To attach H/F OR U/F to Cluster :-
1. In clustering we can forward the outputs.conf to heavy forwarders through deployment server.
2. Instance which are having serverclass.conf will act as Deployment Server.
3. Instances which are having deploymentclient.conf will act as deployment clients.
4. The app which we want to send all heavy forwarders resides at /opt/splunk/etc/deployment apps.
5. Now restart the indexers and Heavy forwarders.
6. Now data should get forwarded to indexers it should be replicate and searchable through search head.
If you are still facing issue regarding index clustering in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉