splunk search head cluster joining indexer cluster

1
votes

Just trying out splunk, have had an issue with integrating a search head cluster with an indexer cluster.

I have 3 machines in a search head cluster and 3 machines in an indexer cluster. These are all on CentOS7, no firewall installed, all machines are able to ping / view each others splunk instaces (ip:8000 / ip:8089).

When following https://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/SHCandindexercluster specifically 

splunk edit cluster-config -mode searchhead -master_uri 10.152.31.202:8089 -secret newsecret123

I get an error of 

Could not contact master.  Check that the master is up, the master_uri=10.152.31.202:8089 and secret are specified correctly

I have removed the https:// part from the IP's above as I couldn't post with them included. I have set the pass4SymmKey to be the same on all servers.

thanks

2
splunk
Can you telnet/netcat to the master's IP and port? Splunk expects the https:// bit, put it back in. Is the master correctly setup as an indexer cluster master and are the indexer peers successfully connecting to it? - Joao Figueiredo
yes can successfully telnet to the master IP/port. It is setup as an indexer cluster master, salve indexers are connected to it without problems. thanks. - Andy

2 Answers

0
votes

Please check shclustering pass4symmkey in both search head cluster and in the master.

i suspect pass4symmkey issue.

0
votes

You should check splunkd.log to see what the error is. I would recommend not setting up the Pass4symKey and verifying it works first, if not then you found your issue.

Also, you did not mention having an extra server acting as the cluster master. This should be an independent server from your indexers. You have one right?