distsearch.conf

distsearch.conf

The following are the spec and example files for distsearch.conf.

distsearch.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5
#
# This file contains possible attributes and values you can use to configure distributed search.
#
# There is NO DEFAULT distsearch.conf.  
#
# To set custom configurations, place a distsearch.conf in $SPLUNK_HOME/etc/system/local/.  
# For examples, see distsearch.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[distributedSearch]
* Set distributed search configuration options under this stanza name.
* Follow this stanza name with any number of the following attribute/value pairs.  
* If you do not set any attribute, Splunk uses the default value (if there is one listed).

disabled = true | false
* Toggle distributed search off and on.
* Defaults to false (your distributed search stanza is enabled by default).

heartbeatFrequency = <in seconds>
* Heartbeat in seconds.  
* 0 disables all heartbeats.  
* If the heartbeat is disabled, no other Splunk server is able to auto-discover this instance.
* Defaults to 0.
   
heartbeatMcastAddr = <IP address>
* Set a multicast address.
* Defaults to 224.0.0.37.

heartbeatPort = <port>
* Set heartbeat port.
* Defaults to 8888.

serverTimeout = <in seconds>
* How long to wait for a connection to a server.
* If a connection occurs, a search times out in 10x this value.  
	* For example, if set to 10 seconds, the maximum search allowed is 100 seconds.  
* This setting works in tandem with 'removeTimedOutPeers.'
* Defaults to 10.

statusTimeout = <in seconds>
* Set how long to wait for a server to return its status. 
* Up this number if your peered servers are slow or if the server name disappears from Splunk Web.
   
removedTimedOutServers = true | false
* If true, remove a server connection that cannot be made within 'serverTimeout.'  
* If false, every call to that server attempts to connect. 
	* NOTE: This may result in a slow user interface.

checkTimedOutServersFrequency = <in seconds>
* This tag is ONLY relevant if 'removeTimedOutServers' is set to true.
 	* If 'removeTimedOutServers' is false, this attribute is ignored.
* Rechecks servers at this frequency (in seconds).  
* If this is set to 0, then no recheck will occur.
* Defaults to 60.   

autoAddServers = true | false
* If this tag is set to 'true', this node will automatically add all discovered servers.
* Defaults to false.

skipOurselves = true | false
* If this is set to 'true', then this server will NOT participate as a server in any search or other call. 
* This is used for building a node that does nothing but merge the results from other servers. 
* Defaults to false.

ttl = <integer>
* Time to live.
* Increasing this number allows the UDP multicast packets to spread beyond the current subnet to the specified number of hops.
* NOTE:  This only will work if routers along the way are configured to pass UDP multicast packets.
* Defaults to 1 (this subnet).  

servers = <comma separated list of servers)
* Initial list of servers.  
* If operating completely in 'autoAddServers' mode (discovering all servers), there is no need to have any servers listed here.

blacklistNames = <comma separated list of server names>
* List of server names that you do not want to peer with.
* Server names are the 'server name' that is created for you at startup time.

blacklistURLs = <comma separated list of server names or URIs>
* Specify servers to blacklist.
* You can blacklist on server name (above) or server URI (x.x.x.x:port).

shareBundles = true | false
* Indicates if this server will share its app with any of its peers.
* This flag is required on the search distributor.
* Defaults to true.

connectionTimeout = <integer>
* Amount of time in seconds to use as a timeout during search peer connection establishment

sendTimeout = <integer>
* Amount of time in seconds to use as a timeout while trying to write/send data to a search peer

receiveTimeout = <integer>
* Amount of time in seconds to use as a timeout while trying to read/receive data from a search peer


#******************************************************************************
# REPLICATION SETTING OPTIONS
# These options must be set under an [replicationSettings] entry 
#******************************************************************************

connectionTimeout = <number>
* The maximum number of seconds to wait before timing out on inital connection to a peer

sendRcvTimeout = <number>
* The maximum number of seconds to wait for the sending of a full replication to a peer

replicationThreads = <number>
* The maximum number of threads to use when performing bundle replication to peers
* Defaults to 1

#******************************************************************************
# REPLICATION WHITELIST OPTIONS
# These options must be set under an [replicationWhitelist] entry 
#******************************************************************************
<name> = <whitelist_regex>
* A pattern that if it matches a candidate file for replication (ie is under $SPLUNK_HOME/etc ) that file will be replicated.
* Note: Wildcards and replication:
* You can use wildcards to specify your path for replicated files. Use ... for paths and * for files.
* ... recurses through directories until the match is met. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc. but only if bar is a file.
* To recurse through a subdirectory, use another .... For example /foo/.../bar/....
* matches anything in that specific path segment. It cannot be used inside of a directory path; it must be used in the last segment of the path. For example /foo/*.log matches /foo/bar.log but not /foo/bar.txt or /foo/bar/test.log.
* Combine * and ... for more specific matches:
* foo/.../bar/* matches any file in the bar directory within the specified path.

#******************************************************************************
# REPLICATION BLACKLIST OPTIONS
# These options must be set under an [replicationBlacklist] entry
#******************************************************************************
<name> = <blacklist_regex>
* All comments from the replication whitelist notes above apply here.
* replication blacklist takes precedence over the whitelist, meaning that a file that matches BOTH the whitelist and the blacklist will NOT be replicated

distsearch.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5
#
# This is an example distsearch.conf.  Use this file to configure distributed search.  For all 
# available attribute/value pairs, see distsearch.conf.spec.
#
# There is NO DEFAULT distsearch.conf.
#
# To use one or more of these configurations, copy the configuration block into distsearch.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[distributedSearch]
heartbeatFrequency = 10
servers = 192.168.1.1:8059,192.168.1.2:8059
blacklistNames = the-others,them
blacklistURLs = 192.168.1.3:8059,192.168.1.4:8059

# This entry distributes searches to 192.168.1.1:8059,192.168.1.2:8059.
# The server sends a heartbeat every 10 seconds.
# There are four blacklisted instances, listed across blacklistNames and blacklistURLs.
# Attributes not set here will use the defaults listed in distsearch.conf.spec.

#this stanza controls the timing settings for connecting to a remote peer and the send timeout
[replicationSettings]
connectionTimeout = 10
sendRcvTimeout = 60

#this stanza controls what files are replicated to the other peer each is a regex
[replicationWhitelist]
allConf = *.conf

• Was this topic useful?
• Post a comment