Search heads are the main way for users to access data stored on a search peer. Usually, access to the WebUI is available and users utilize the Splunk query language to perform searches on stored data. In addition to running ad-hoc queries, users can save searches, create reports, and configure alerts among other things.
When deploying Search Heads, there are a two basic options. One option is to setup one or more independent search heads to search across the search peers. These servers can act independently or they can distribute searches between them. Another option is using multiple search heads in a search head cluster. In either case, the initial configuration must be completed to create a search head and then configure additional conf files. When using a search head cluster there may be a need for additional load balancer configuration which is outside the scope of this readme.
- Configure the Splunk Search Heads after splunk-base has run
- Install authorize.conf (checks for custom roles or uses defaults)
- Configure cluster (Multisite or Singlesite)
- Configure search head clustering (optional)
- search-heads
- splunk-search-heads : Check for custom roles file
- splunk-search-heads : Copy Splunk authorize.conf for system
- splunk-search-heads : Check if clustering is enabled
- splunk-search-heads : Add Search Heads to Cluster (Multisite or Singlesite)
- splunk-search-heads : Configure search head clustering (optional)
- TODO: Configure distributed search (optional)
splunk-search-heads/
├── README.md
├── defaults
│ └── main.yml
├── files
│ └── system_local.authorize.conf
├── handlers
│ └── main.yml
└── tasks
└── main.yml
Once splunk-base has been applied, nodes can be configured for individual capabilities based on their inventory group.
The inventory is based on the hosts.example file located within the playbook.
However, inventory can be managed in other ways.
In the defaults/main.yml, configure the settings to utilize different options and configurations.
Options can be overridden in higher level configs or a secrets file.
Define the base directory where splunk is installed.
splunk_base: '/opt/splunk'Configure usage of a search head cluster.
# Enable Search Head Clustering
use_shclustering: falseDefine whether or not a multisite cluster will be deployed.
# Use multisite or single site cluster config
use_multisite_config: "true" #set to false when not usingIf using the multisite cluster option this setting defines the default site for search nodes. Defining site0 allows the search head to search any site.
# Multisite config options http://docs.splunk.com/Documentation/Splunk/7.1.0/Indexer/MultisiteCLI
search_site: "site0"If using custom roles, create a file in the secrets directory group_vars/custom_files/custom_roles.conf with the defined name.
# For more info about roles http://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/authorizeconf
# To use a custom roles file, create a file in the custom_files folder
custom_roles_file: 'custom_roles.conf'Example setting for setting up a search head cluster. Settings are created in the secrets.yml
# Settings are configured in the secrets file
example_stage:
shclustering:
splunk_shcluster_captain: 'https://server1.domain.tld:8089'
splunk_shclustering_pass4SymmKey: 'somerandomText'
splunk_shcluster_label: 'shcluster1'
splunk_shcluster_replication_port: '8087'
splunk_shcluster_replication_factor: '3'
splunk_shcluster_servers_list: 'https://server1.domain.tld:8089,https://server1.domain.tld:8089,https://server1.domain.tld:8089'