## OVERVIEW - 3 search heads - 1 captain to manage the search heads and is one of them - 3 indexers - 1 main node # to connect the indexers is seperate - 1 deployer - 8 Machines total ### ESXI CONFIG splunk_search_head_# or splunk_indexer_# 8 cores 16 gb ram 3 TB thin provision Add iso 20 Ubuntu desktop to iso ### Initial Install ubuntu Continue Minimal Continue Erase Install now Continue Continue ``` Spadmin searchhead# or indexer# STANDARD login auto ``` Continue Restart now Shutdown Remove iso Quit live patch Set IP identity name: splunk Ipv4 Ipv4 method: manual 10.2.25.x 255.255.255.0 10.2.25.1 Ipv6 - disable Display - 1920x1080 Add terminal to favorites ### BROWSER Login to ESXI Download splunk from data store ``` sudo useradd splunk -s /bin/false -l sudo passwd splunk cd Downloads sudo mv splunk.tgz /opt cd /opt sudo tar -xvf splunk.tgz cd splunk/bin sudo -u splunk ./splunk --accept-license spadmin STANDARD STANDARD sudo ./splunk enable boot-start -user splunk ``` ### Create this on splunk ``` #!/bin/bash #save to /opt/splunkmotd.sh #start up file for splunk IP=$(ip a | grep "10.2." | awk '{print $2}' | cut -c -10) echo "Your IP is $IP" echo "run" echo "sudo /opt/splunk/bin/splunk status" #ad full path to bottom of .bashrc to have these commands pop up every time a terminal is opened. ``` ### BROWSER login Settings server settings General settings Enable SSL: yes Web port: 8000 -> 443 Save Global banner Got it searchhead# or indexer# Indexer - blue Search head - green Main node - orange save Server controls Restart splunk enable to add all parts to cluster go to index clustering settings # in top right index clustering enable indexer clustering ## MAIN NODE - main node - set ip to 9000 - replication factor: 1 - serach factor: 1 - pass: STANDARD - cluster label: dist_splunk ## INDEXER - peer node - manager uri: main node https://IP:8089 - pass: STANDARD ## SEARCH HEAD - search head node - manager uri: main node https://IP:8089 - pass: STANDARD