【实战】Splunk SearchHead Cluster部署

【实战】Splunk SearchHead Cluster部署

1 设置SHC Deployer角色

编辑Deployer节点上的$SPLUNK_HOME/etc/local/system/server.conf配置文件,添加下述配置内容:

1
2
3
[shclustering]
pass4SymmKey = shc # Search Head集群密钥
shcluster_label = shc # SearchHead集群标签

重启Deployer节点Splunk服务

1
$SPLUNK_HOME/bin/splunk restart

2 搭建SearchHead Cluster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 初始化集群成员 SH01
/opt/splunk/bin/splunk init shcluster-config -auth admin:admin@123 -mgmt_uri https://[SH01]:8089 -replication_port 8292 -replication_factor 3 -conf_deploy_fetch_url https://[Deployer]:8089 -secret shc -shcluster_label shc

# 初始化集群成员 SH02
/opt/splunk/bin/splunk init shcluster-config -auth admin:admin@123 -mgmt_uri https://[SH02]:8089 -replication_port 8292 -replication_factor 3 -conf_deploy_fetch_url https://[Deployer]:8089 -secret shc -shcluster_label shc

# 初始化集群成员 SH03
/opt/splunk/bin/splunk init shcluster-config -auth admin:admin@123 -mgmt_uri https://[SH03]:8089 -replication_port 8292 -replication_factor 3 -conf_deploy_fetch_url https://[Deployer]:8089 -secret shc -shcluster_label shc

# 重启搜索头集群SH01-SH03成员Splunk服务
/opt/splunk/bin/splunk restart

# 设置搜索头集群队长
/opt/splunk/bin/splunk bootstrap shcluster-captain -servers_list "https://[SH01]:8089,https://[SH02]:8089,https://[SH03]:8089" -auth admin:admin@123

3 Deployer节点推送给SearchHead ClusterApps

1
2
# Deployer 节点角色下推Apps
/opt/splunk/bin/splunk apply shcluster-bundle --answer-yes -target https://[SH01]:8089 -auth admin:admin@123

4 补充:SearchHead Cluster添加新的节点

4.1 初始化SearchHead节点

1
2
3
4
# 初始化集群成员 SH04
/opt/splunk/bin/splunk init shcluster-config -auth admin:admin@123 -mgmt_uri https://[SH04]:8089 -replication_port 8292 -replication_factor 3 -conf_deploy_fetch_url https://[Deployer]:8089 -secret shc -shcluster_label SHC-Test
# 初始化集群成员 SH05
/opt/splunk/bin/splunk init shcluster-config -auth admin:admin@123 -mgmt_uri https://[SH05]:8089 -replication_port 8292 -replication_factor 3 -conf_deploy_fetch_url https://[Deployer]:8089 -secret shc -shcluster_label SHC-Test

4.2 新SearchHead节点添加到SearchHead Cluster

1
2
3
4
5
6
7
8
9
10
11
12
# 在SH04、SH05节点上执行
# -current_member_uri:是此节点要加入的集群的任何当前成员的管理URI和端口。此参数允许新节点与集群进行通信。
/opt/splunk/bin/splunk add shcluster-member -current_member_uri https://[SH01]:8089 -auth admin:admin@123

# 在老的节点任意一台SH节点上执行
# -new_member_uri:是要添加到集群的新成员的管理URI和端口。此参数必须与初始化此成员时指定的 -mgmt_uri 值相同。
/opt/splunk/bin/splunk add shcluster-member -new_member_uri https://[SH05]:8089 -auth admin:admin@123
/opt/splunk/bin/splunk add shcluster-member -new_member_uri https://[SH06]:8089 -auth admin:admin@123


# 查看集群状态
/opt/splunk/bin/splunk show shcluster-status

4.3 回退方式

1
2
3
4
5
6
7
8
9
10
11
# 删除成集群员
/opt/splunk/bin/splunk remove shcluster-member

# 禁用集群成员
/opt/splunk/bin/splunk disable shcluster-config

# 停止Splunk服务
/opt/splunk/bin/splunk stop

# 清除KVStore数据
/opt/splunk/bin/splunk clean kvstore --cluster

参考文档:https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Addaclustermember#Initialize_the_instance

参考文档:https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Removeaclustermember

Splunk > Linux > SearchHead > SearchHeadCluster
#日常笔记 #Linux #Splunk #SearchHead #SearchHeadCluster #部署手册
【实战】Splunk SearchHead Cluster部署
https://hesc.info/440159d3a1bc/
作者
需要哈气的纸飞机
发布于
2022年5月26日
许可协议