Topology overview question

[adamrushuk]

Please select the type of request

Bug

Tell us more

Describe the request

• Please could somebody explain why the License Manager shows as an Indexer, and the Cluster Manager and Monitoring Console shows as Search Heads within the Topology Overview (as shown below):

Expected behavior

• I expected to only see 3 indexers shown under the Indexers column, and 1 Search Head in the Search Heads column.

Splunk setup on K8S

• Running splunk operator v2.2.0 using a c1 configuration with 3 standalone pods:
• 1 x Search head
• 1 x Heavy Forwarder
• 1 x Deployment

Reproduction/Testing steps

• Apply the YAML below then navigate to the monitoring console topology overview page, eg: http://MONITORING_CONSOLE_SERVER/en-GB/app/splunk_monitoring_console/monitoringconsole_overview

apiVersion: enterprise.splunk.com/v4
kind: LicenseManager
metadata:
  name: lm-example
  finalizers:
    - enterprise.splunk.com/delete-pvc
spec:
  volumes:
    - name: licenses
      configMap:
        name: splunk-licenses
  licenseUrl: /mnt/licenses/enterprise.lic
  monitoringConsoleRef:
    name: mc-example
---
apiVersion: enterprise.splunk.com/v4
kind: ClusterManager
metadata:
  name: cm-example
  finalizers:
    - enterprise.splunk.com/delete-pvc
spec:
  licenseManagerRef:
    name: lm-example
  monitoringConsoleRef:
    name: mc-example
  defaults: |-
    splunk:
      set_search_peers: false
---
apiVersion: enterprise.splunk.com/v4
kind: IndexerCluster
metadata:
  name: idxc-example
  finalizers:
    - enterprise.splunk.com/delete-pvc
spec:
  replicas: 3
  clusterManagerRef:
    name: cm-example
  licenseManagerRef:
    name: lm-example
  monitoringConsoleRef:
    name: mc-example
---
apiVersion: enterprise.splunk.com/v4
kind: MonitoringConsole
metadata:
  name: mc-example
  finalizers:
    - enterprise.splunk.com/delete-pvc
spec:
  defaults: |-
    splunk:
      set_search_peers: false
---
apiVersion: enterprise.splunk.com/v4
kind: Standalone
metadata:
  name: sh-example
  finalizers:
    - enterprise.splunk.com/delete-pvc
spec:
  clusterManagerRef:
    name: cm-example
  licenseManagerRef:
    name: lm-example
  monitoringConsoleRef:
    name: mc-example
---
apiVersion: enterprise.splunk.com/v4
kind: Standalone
metadata:
  name: hwf-example
  finalizers:
    - enterprise.splunk.com/delete-pvc
spec:
  extraEnv:
    - name: SPLUNK_ROLE
      value: "splunk_heavy_forwarder"
  clusterManagerRef:
    name: cm-example
  licenseManagerRef:
    name: lm-example
  monitoringConsoleRef:
    name: mc-example
  defaults: |-
    splunk:
      set_search_peers: false
---
apiVersion: enterprise.splunk.com/v4
kind: Standalone
metadata:
  name: deployment
  finalizers:
    - enterprise.splunk.com/delete-pvc
spec:
  extraEnv:
    - name: SPLUNK_ROLE
      value: "splunk_deployment_server"
  clusterManagerRef:
    name: cm-example
  licenseManagerRef:
    name: lm-example
  monitoringConsoleRef:
    name: mc-example
  defaults: |-
    splunk:
      set_search_peers: false

K8s environment

• AKS cluster

Additional context(optional)

• I'm trying to get a deployment and heavy forwarder configured using a c1 architecture.

[kashok-splunk]

Hi @adamrushuk, I'll try to break the question into 2 parts:

1. the Cluster Manager and Monitoring Console shows as Search Heads, As per Splunk documentation since Monitoring Console has been hosted on an instance other than Cluster Manager, MC is added as a search head to the CM. Also, CM is added as a search peer to the MC, so we see multiple SH here.
2. License Manager shows as an Indexer Since License Manager is not connected to the indexing cluster then its role should be license master and indexer (indexing its own logs)

Please let us know if you have any further questions

[adamrushuk]

Thanks for the explanation @kashok-splunk - I wanted to ensure that behaviour was expected. I'll close the ticket now :)