Configuring Distributed Search Lab

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Hello and welcome back. The Splunk Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing a quick lab to demonstrate how you will set up your search heads or monitoring console, which is technically search head Teoh interact with their search piers, a k a
00:19
three indexers for the search head,
00:21
or, in the case of the Mayan council, all of the Splunk components in your deployment.
00:27
So I'll show you how to do that through the Web and then,
00:31
uh, demonstrate what that looks like in a configuration file and then just talk through how you can configure it once and then just kind of copy that file and deploy it to make it a little bit easier. So before we get started, I'll just quick review. Um,
00:47
since the beginning of this lab, we have been working with an all in one instance
00:52
before this lab to demonstrate setting up this configuration I split out are what used to be Splunk all in one into a search head and also act is like our deployment Severin stuff still, and then I made a dedicated indexer and did all the work necessary to
01:10
my great APS between the two and get our forward or to start sending to the indexer instead of
01:19
the old all in one instance.
01:22
So the first thing we're gonna do is first, and I also cleaned out all the old event at us. We don't have any more.
01:30
So, for example, if I search main, no events, if I do all time, no events. I cleaned everything out.
01:38
But we should still have internal logs because they should be generated continuously
01:44
and we dio,
01:46
so I'll just do last 15 minutes. We don't need that much.
01:48
So the important thing here is to know Right now we just have this one host available to us, and it's the local hosts that's just meiring its own logs.
01:57
But once we add Thea other *** server, we should be able to see logs from it as well. So that's a good way to check to make sure that you know you properly added it as a search beer.
02:09
But the way to do this is just go to settings distributed search
02:15
search piers and you just click. Add new.
02:19
So
02:20
then you type in the peer you are. I. It should always be in this,
02:25
uh, format. You can use an I p address. You don't have to use a domain name.
02:30
It's better to use a domain name. But like I said in previous, because I just don't have one set up on.
02:37
So we're gonna use an I p address
02:39
rooms.
02:42
So copied this from here,
02:45
Pasted in
02:47
on 80 89.
02:51
I don't know that I opened that port yet, so we may need to
02:55
Teoh before we can successfully
02:59
had this will see the
03:07
Yep. So it could not connect. That is most likely just because of, ah, firewall rule. We did just add one.
03:16
So it should be
03:19
right here, So Well, this
03:23
and let's see if our setting works now
03:28
s Oh, there we go. So now this is so this is what? Well, so that's actually cool, because we demonstrate what will happen when it doesn't work. It will give you an error message. When it does work, it will show up as appear here
03:42
and now we should also be able to search on our internal logs again.
03:49
You can see those.
03:52
And we could see we have
03:53
multiple hosts now. Okay, so, uh, So I copied over. I didn't clean the event data on the new indexer that we added, and I did it. I did a full copy of the data and everything from the old one over there. So we have some old data in here, and we have these logs as well.
04:13
The thing that we want to check, though, is to see if Windows logs air coming in. Now,
04:19
um, to make sure that everything worked, but
04:29
yeah, uh, it's still to be determined if my new indexers receiving longs. But that doesn't really matter. For the purpose of this, we do demonstrate that,
04:41
um
04:43
I now, now that my search Pierre is configured, I can see the index that only exists on the indexers. And I can also see my internal logs
04:55
from
04:59
my index as well so we could see that that configuration worked. That's exactly what you would expect to see. Now, let's go look on disk to see what setting this did.
05:10
So we're going to go to our search head. And so since we set it up through Splunk web, it should be in the etc system local directory. So we will back opt exploding, etc. System local, and it should be the oak I'm into ls
05:30
so it should be This dis search dot com for is what gets configured when you do that. So we'll just cat that out
05:40
should specify full path. So it actually knows what I'm talking about.
05:49
Okay, Cool. So you can see all it does is it makes a distributed search, uh, stands the name and then servers equals. And this will just be a comma separated list of your your
06:01
fully written out,
06:04
um,
06:05
indexer or in the case of the m C. You know, any Splunk enterprise devices and then you just comma separate and ADM or more, more if you want to do it that way.
06:16
So the thing that I would do is if I set it up through the web, I would only do that to generate the initial file and, like, make sure that you can see in this gooey interface that it was working because that is kind of nice to get this instant feedback loop of Okay, that's set up. It worked.
06:35
But before I actually considered that done,
06:40
I would move. If you're in a distributed environment where you have, like, maybe a search had blister or something. You might want to move this into a nap and deploy through the dip lawyer just for consistency.
06:55
But you don't have to, because in a search cluster this saying will automatically be replicated so you could keep it like that.
07:00
But, um,
07:04
you can also use as a baseline if you wanted for your So say you set up your search head cluster or search head completely, and you don't want to type all that in again. You could copy this file
07:17
to use as a baseline like a starting point for your modern council, and then just add the other spline components that aren't indexers like your search heads, for example, into this list and use that file for your monitoring console
07:32
and whether you decide to deploy this one through the deployment server or install low or make it locally. It doesn't really matter as much just because you don't have to send it to a lot of components. You're not gonna need to, like, automatically deploy it the other deployments ever.
07:50
So it's totally fine if you want to make this setting
07:54
just through the Web I kind of tend to do this one. It's one of few settings I prefer to do through the Web, just cause it's easy.
08:01
But that demonstrates. Ah, basically search piers we reviewed what what search piers means again just for you. It just means any device that this, this Blunk instance can query. It's gonna be over. Port 80 89. You specify the your I
08:20
on for search heads. It'll be all indexers for a monitoring console will be all Splunk enterprise instances.
08:28
So that's, uh, that's everything you really need to know about configuring a search, Pierre. It's pretty straightforward, pretty easy process, but
08:37
definitely important that you know it.
08:39
So that wraps up this video and we'll see you in the next one.
Up Next
Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By