Use mounted bundles with search head pooling
| This feature has been deprecated. |
|---|
| Search head pooling has been deprecated as of Splunk Enterprise version 6.2. This means that although it continues to function, it might be removed in a future version.
As an alternative, you can deploy search head clustering. See "About search head clustering". For information on mounted bundles and search head clustering, see "Search head clustering and mounted bundles". For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes. |
The process for configuring mounted bundles is basically no different if you're using search head pooling to manage multiple search heads. A few things to keep in mind:
- Use the same shared storage location for both the search head pool and the mounted bundles. Search head pooling uses a subset of the directories required for mounted bundles.
- Search head pooling itself only requires that you mount the
$SPLUNK_HOME/etc/{apps,users}directories. However, when using mounted bundles, you must also provide a mounted$SPLUNK_HOME/etc/systemdirectory. This doesn't create any conflict among the search heads, as they will always use their own versions of thesystemdirectory and ignore the mounted version. - The search peers must create separate stanzas in
distsearch.conffor each search head in the pool. Thebundles_locationin each of those stanzas must be identical.
See "Configure search head pooling" for information on setting up a search head pool.
Example configuration: Search head pooling with mounted bundles
This example shows how to combine search head pooling and mounted bundles in one system. There are two main sections to the example:
1. Set up a search head pool consisting of two search heads. In this part, you also mount the bundles.
2. Set up the search peers so that they can access bundles from the search head pool.
The example assumes you're using an NFS mount for the shared storage location.
Part 1: Set up the search head pool
Before configuring the pool, perform these preliminary steps:
1. Enable two Splunk Enterprise instances as search heads. This example assumes that the instances are named "searcher01" and "searcher02".
2. Set up a shared storage location accessible to each search head. This example assumes that you set up an NFS mountpoint, specified on the search heads as /mnt/search-head-pooling.
For detailed information on these steps, see "Create a pool of search heads".
Now, configure the search head pool:
1. On each search head, stop splunkd:
splunk stop splunkd
2. On each search head, enable search head pooling. In this example, you're using an NFS mount of /mnt/search-head-pooling as your shared storage location:
splunk pooling enable /mnt/search-head-pooling [--debug]
Among other things, this step creates empty /etc/apps and /etc/users directories under /mnt/search-head-pooling. Step 3 uses those directories.
3. Copy the contents of the $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/users directories on one of the search heads into the /etc/apps and /etc/users subdirectories under /mnt/search-head-pooling:
cp -r $SPLUNK_HOME/etc/apps/* /mnt/search-head-pooling/etc/apps cp -r $SPLUNK_HOME/etc/users/* /mnt/search-head-pooling/etc/users
4. Copy one search head's $SPLUNK_HOME/etc/system directory to /mnt/search-head-pooling/etc/system.
cp -r $SPLUNK_HOME/etc/system /mnt/search-head-pooling/etc/
5. Review the /mnt/search-head-pooling/etc/system/local/server.conf file for a [pooling] stanza. If it exists, remove any entries.
6. On each search head, edit the distsearch.conf file to set shareBundles = false:
[distributedSearch] ... shareBundles = false
7. On each search head, start splunkd:
splunk start splunkd
Your search head pool should now be up and running.
Part 2: Mount bundles on the search peers
Now, mount the bundles on the search peers.
On each search peer, perform these steps:
1. Mount the shared storage location (the same location that was earlier set to /mnt/search-head-pooling on the search heads) so that it appears as /mnt/bundles on the peer.
2. Create a directory that consists of symbolic links to the bundle subdirectories:
/opt/shared_bundles/bundles/system -> /mnt/bundles/etc/system /opt/shared_bundles/bundles/users -> /mnt/bundles/etc/users /opt/shared_bundles/bundles/apps -> /mnt/bundles/etc/apps
3. Create a distsearch.conf file in $SPLUNK_HOME/etc/system/local/ on the search peer, with stanzas for each of the two search heads:
[searchhead:searcher01] mounted_bundles = true bundles_location = /opt/shared_bundles/bundles [searchhead:searcher02] mounted_bundles = true bundles_location = /opt/shared_bundles/bundles
4. Restart the search peer:
splunk restart splunkd
Repeat the process for each search peer.
| Configure mounted bundles | Deploy a distributed search environment |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Download manual
Feedback submitted, thanks!