Configure a cluster deployment

A cluster is a group of of Splunk Enterprise nodes (indexers) configured to replicate each others' data, so that the system keeps multiple copies of all of the data. This process is known as index replication. By maintaining multiple, identical copies of the data, clusters prevent data loss while promoting data availability for searching.

An overview of clusters

A cluster contains the following nodes:

• A single master node to manage the cluster. The master node is a specialized type of indexer.
• Several peer nodes that handle the indexing function for the cluster, indexing and maintaining multiple copies of the data and running searches across the data.
• One or more search heads to coordinate searches across all of the peer nodes.

There are additional configuration steps, beyond what's needed for a stand-alone indexer, for setting up a cluster. For more information, see "About clusters and index replication" in the "Managing Indexers and Clusters" manual.

Before you set up a cluster, see "Key differences between clustered and non-clustered deployments" in the Splunk Enterprise documentation.

Configure a cluster for the Splunk App for VMware

To set up a cluster environment for the Splunk App for VMware:

• See "Deployment overview". This topic describes the main steps involved in deploying clusters.
• Follow the instruction in "How to distribute apps to all the peers" to distribute apps across all of the peers.

This topic discusses the specific requirements for the Splunk App for VMware in a clustered environment.

1. Determine the nodes you want to set up as the master node, peer nodes, and search head nodes. Also decide what replication factor you want to implement. The replication factor is the number of copies of raw data that the cluster maintains. It should be less than or equal to the number of search peers (slave nodes).
2. Install the Splunk App for VMware on the search head, master nodes, and search peers under the $SPLUNK_HOME/etc/apps directory.
3. Follow the instructions in Deploy a cluster to enable the master node, the peer nodes, and the search head for a clustered environment.
4. To configure indexes across cluster peers, see "Configure the peer indexes". The Splunk App for VMware, by default, uses the "_internal" and the "_audit" indexes. On the master node, add the new indexes (vmware-beta, vmware, vmware-perf, vmware-inv, vmware-taskevent, vmware-vclog, vmware-esxilog) to the $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf file to make the VMware data available. When you add a new index stanza, set the repFactor attribute to auto. This enables the index's data to be replicated to other peers in the cluster. Note: To add a new index to a cluster, directly edit the indexes.conf file. You cannot add an index via Splunk Web or the CLI. This step makes the VMware data available to the cluster.

   [vmware-beta]

   repFactor=auto

   [vmware]

   repFactor=auto

   [vmware-perf]

   repFactor=auto

   [vmware-inv]

   repFactor=auto

   [vmware-taskevent]

   repFactor=auto

   [vmware-vclog]

   repFactor=auto

   [vmware-esxilog]

   repFactor=auto

5. On the master node, to distribute the configuration bundle to the search peers, log in to Splunk Web or use the CLI. Distribute the bundle in the $SPLUNK_HOME/etc/master-apps directory.
6. $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf is updated on all the search peers with the index configuration added on the master node.
7. This step is optional. To distribute apps to all peers and share them across the cluster:
   1. See How to distribute apps to all peers. Add each app under $SPLUNK_HOME/etc/master-apps/<app-name>. Distribute the following Splunk App for VMware components to all search peers:

      /Splunk_TA_vmware

      /Splunk_TA_esxilogs

      /Splunk_TA_vcenter

      /SA-Hydra

      /SA-Utils

      /SA-Threshold

      /splunk_for_vmware

      /SA-VMW-Performance

      /SA-VMW-HierarchyInventory

      /SA-VMW-Licensecheck

      /SA-VMW-LogEventTask

   2. On the search peers, check that the app files exist under $SPLUNK_HOME/etc/slave-apps/<app_name>.
8. When you have the app installed on the search head node, master node, and search peers, and you have set up the cluster, see "Get a data collection node" in this manual to get your data collection nodes.
9. Data collection nodes are managed by the Distributed Collection Scheduler, on the master node. Log in to Splunk Web and navigate to the Collection Configuration dashboard. Register all new data collection nodes individually with the Distributed Collection Scheduler, specify the associated filers, and have them forward data to the indexers, then start the Distributed Collection Scheduler. See the "Add a data collection node" topic in this manual.
10. Log in to the data collection nodes and check that the VMware data is forwarded to the indexers in the cluster.
11. When you have installed and configured the app in your environment, log in to Splunk Web on the search head to view the Splunk App for VMware dashboards and use the app.

Sharing apps in a cluster

The master node distributes new or edited configuration files or apps across all the peers. Follow the instructions in the topic "Update common peer configurations and apps" to share apps in a cluster.

For example, to share a saved search across the peer nodes, add the saved search to $SPLUNK_HOME/etc/master-apps/<app-name>/.

Update the savedsearches.conf file. Log in to Splunk Web on the cluster master and push the configuration bundle. You can see the apps in $SPLUNK_HOME/etc/slave-apps/<app-name>/.

Managing configuration changes

Once the Splunk App for Vmware has been distributed to the set of peers, launch and manage it on each peer with Splunk Web. See "Managing app configurations and properties" in the Splunk Enterprise Admin Manual.