Configure distributed search via distsearch.conf

Configure distributed search via distsearch.conf

The most advanced specifications for distributed are available in distsearch.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Configuration

[distributedSearch]

• Set distributed search configuration options under this stanza name.
• Follow this stanza name with any number of the following attribute/value pairs.
• If you do not set any attribute, Splunk uses the default value (if there is one listed).

disabled = <true | false>

• Toggle distributed search off and on.
• Defaults to false (your distributed search stanza is enabled by default).

heartbeatFrequency = <in seconds>

• Heartbeat in seconds.
• 0 disables all heartbeats.
• If the heartbeat is disabled, no other Spolunk Server is able to auto-discover this instance.
• Defaults to 2.

heartbeatMcastAddr = <IP address>

• Set a multicast address.
• Defaults to 255.0.0.37.

heartbeatPort = <port>

• Set heartbeat port.
• Defaults to 60.

serverTimeout = <in seconds>

• How long to wait for a connection to a server.
• If a connection occurs, a search times out in 10x this value.
  • For example, if set to 10 seconds, the maximum search allowed is 100 seconds.
• This setting works in tandem with 'removeTimedOutPeers.'
• Defaults to 10.

statusTimeout = <in seconds>

• Set how long to wait for a server to return its status.
• Up this number if your peered servers are slow or if the server name disappears from the SplunkWeb widget.

removedTimedOutServers = <true | false>

• If true, remove a server connection that cannot be made within 'serverTimeout.'
• If false, every call to that server attempts to connect.
  • NOTE: This may result in a slow user interface.

checkTimedOutServersFrequency = <in seconds>

• This tag is ONLY relevant if 'removeTimedOutServers' is set to true.
  • If 'removeTimedOutServers' is false, this attribute is ignored.
• Rechecks servers at this frequency (in seconds).
• If this is set to 0, then no recheck will occur.
• Defaults to 60.

autoAddServers = [True | False]

• If this tag is set to 'true', this node will automatically add all discovered servers.

skipOurselves = [True | False]

• If this is set to 'true', then this server will NOT participate as a server in any search or other call.
• This is used for building a node that does nothing but merge the results from other servers.
• Defaults to 'false.'

allowDescent = [True | False]

ttl = <integer>

• Time To Live.
• Increasing this number allows the UDP multicast packets to spread beyond the current subnet to the specified number of hops.
• NOTE: This only will work if routers along the way are configured to pass UDP multicast packets.
• Defaults to 1 (this subnet).

servers =

• Initial list of servers.
• If operating completely in 'autoAddServers' mode (discovering all servers), there is no need to have any servers listed here.

blacklistNames =

• List of server names that you do not want to peer with.
• Server names are the 'server name' that is created for you at startup time.

blacklistURLs =

• Comma-delimited lists of blacklisted discovered servers.
• You can black list on server name (above) or server URI (x.x.x.x:port).

Example

[distributedSearch]
heartbeatFrequency = 10
servers = 192.168.1.1:8059,192.168.1.2:8059
blacklistNames = the-others,them
blacklistURLs = 192.168.1.3:8059,192.168.1.4:8059

This entry distributes searches to 192.168.1.1:8059,192.168.1.2:8059.

The server sends a heartbeat every 10 seconds.

There are four blacklisted instances, listed across blacklistNames and blacklistURLs.

Attributes not set here use the defaults listed in distsearch.conf.spec.

• Was this topic useful?
• Post a comment