2.1 KiB
OVERVIEW
-
3 search heads
- 1 captain to manage the search heads and is one of them
-
3 indexers
-
1 main node # to connect the indexers is seperate
-
1 deployer
-
8 Machines total
ESXI CONFIG
splunk_search_head_# or splunk_indexer_#
8 cores
16 gb ram
3 TB thin provision
Add iso 20 Ubuntu desktop to iso
Initial Install ubuntu
Continue
Minimal
Continue
Erase
Install now
Continue
Continue
Spadmin
searchhead# or indexer#
STANDARD
login auto
Continue
Restart now
Shutdown
Remove iso
Quit live patch
Set IP
identity
name: splunk
Ipv4
Ipv4 method: manual
10.2.25.x 255.255.255.0 10.2.25.1
Ipv6 - disable
Display - 1920x1080
Add terminal to favorites
BROWSER
Login to ESXI
Download splunk from data store
sudo useradd splunk -s /bin/false -l
sudo passwd splunk
cd Downloads
sudo mv splunk.tgz /opt
cd /opt
sudo tar -xvf splunk.tgz
cd splunk/bin
sudo -u splunk ./splunk --accept-license
spadmin
STANDARD
STANDARD
sudo ./splunk enable boot-start -user splunk
Create this on splunk
#!/bin/bash
#save to /opt/splunkmotd.sh
#start up file for splunk
IP=$(ip a | grep "10.2." | awk '{print $2}' | cut -c -10)
echo "Your IP is $IP"
echo "run"
echo "sudo /opt/splunk/bin/splunk status"
#ad full path to bottom of .bashrc to have these commands pop up every time a terminal is opened.
BROWSER
login
Settings
server settings
General settings
Enable SSL: yes
Web port: 8000 -> 443
Save
Global banner
Got it
searchhead# or indexer#
Indexer - blue
Search head - green
Main node - orange
save
Server controls
Restart splunk
enable to add all parts to cluster go to index clustering
settings # in top right
index clustering
enable indexer clustering
MAIN NODE
- main node
- set ip to 9000
- replication factor: 1
- serach factor: 1
- pass: STANDARD
- cluster label: dist_splunk
INDEXER
- peer node
- manager uri: main node https://IP:8089
- pass: STANDARD
SEARCH HEAD
- search head node
- manager uri: main node https://IP:8089
- pass: STANDARD