In a distributed enviornment, what should be peers for the Monitoring Console?
Search heads or clustered search heads
Deployment server
License
... [Show More] master
Non-clustered indexers
- For an indexer cluster, add the MC as a search head of the cluster
Best machine to pair the Monitoring Console with?
A) Deployer
B) Cluster Master
C) Non-production search head
D) Dedicated machine for the MC
D
00:00
01:38
Monitoring Forwarders
MC does not directly connect to UFs
Heavy forwarders can be directly monitored
Forwarder monitoring relies upon log based metrics and saved searches
No direct connection to the forwarders is required
_internal index provides info about operational things
_introspection index provides info about resource usage
How does the Monitoring Console process roles for:
Indexers
Search Peers
Deployment Server
SHC Deployer
If it is indexing locally it is an Indexer.
Other host search it, then it is a search peer.
If Splunk started with serverclass.conf it is a Deployment Server
Bundle contents created from $SPLUNK_HOME/etc/shcluster/apps then it is the Search Head Cluster Deployer
What command do you use to convince a host that it is the SHC deployer?
$SPLUNK_HOME/bin/splunk apply
shcluster-bundle -action stage
How do you remove the SHC deployer role?
Delete $SPLUNK_HOME/var/run/splunk/deploy and restart Splunk
Where are the roles of a host cached on the MC?
distaearch.conf
What does the MC monitor in each instance type:
Indexer
Search Head
Search Head Cluster
Forwarder
Indexer: pipelines, queues, indexes, and volume-based retention
Search Head: search activity, scheduler activity, and KV-store
Search Head Clustering: configuration replication, app install activity, report delegation (by the captain) and KV-store operation
Forwarders: daily license usage
In what file are the checks provided in the Health Check app?
checklist.conf
What does authentication.conf do?
Forces users to demonstrate that they are who they say they are
The user must prove his/her identity to the server by providing a username and password
What does authorize.conf do?
Defines what a user can do
Server determines if a client had access to utilize a resource or perform a specific job/task
What are four Authentication for Splunk?
Native Splunk accounts
LDAP
SAML
Scripted authentication [Show Less]