Blog

Splunk Cluster setup – 2a: Setup Ubuntu Linux (Azure)

Posted on July rd, 2015 in Server Setup, Splunk, Virtual Server | 3 Comments

Continuing the series of Splunk Cluster setup articles with instructions on Setup of Ubuntu Linux in Azure for Splunk Cluster setup.

Content:

Attach Disk to VM in Azure Portal
Initialize Disk and create partition in Linux
Setup RAID 0 configuration for Hot/Warm buckets

Details:

Attach Disk in Azure portal

Select you Virtual machine and navigate to Dashboard tab
Click on Attach button and select Attach Empty Disk
You can give this disk a distinct name and select the disk size (max 1023GB)
Click the check mark to confirm

Initialize Disk and create Partition in Linux

We can do this step via RDP connection we’ve setup in previous step, or we can SSH into our VM.

Method using RDP is a bit tricky as you will have to RDP as root user in order to use Disk Utility (any suggestion how to overcome this limitation, please let me know via Twitter) but we will have to change disk permissions later.

For now let’s move with SSH method.

SSH into your server
Run command to get the list of attached disks.
```
sudo grep SCSI /var/log/syslog
```
Last one is the one we have attached in the previous step. Note the identifier i.e. [sdc]
Now let’s partition this drive with one primary partition [fdisk documentation]
```
sudo fdisk /dev/sdc
```
Use n command for new partition
Use p parameter for primary partition
Accept all default settings for partition number, first cylinder, last cylinder
Review settings using p command
And accept/write them using w command
Create file system on this new partition, make sure you use proper Device Boot value from steps above
```
sudo mkfs -t ext4 /dev/sdc1
```

We now are ready to set up mount point for this partition.

We will not mount this drive until Splunk is installed, you will see why.

Setup RAID 0 disk for Hot/Warm buckets

Without jumping too much ahead, I want to review the design architecture of disks I chose for Splunk Setup. Your configuration might vary. Refer to Splunk documentation for more details [Understanding Buckets][How the indexer stores indexes]

Hot/Warm buckets are searchable buckets and require faster disk
Cold buckets can reside on slower drive to save money, while Frozen buckets are essentially ‘deleted’ buckets and depending on setup might not even be required.

My setup has 2 virtual drives RAIDed 0 for Hot/Warm buckets, and single drive disks for Cold and Frozen. We’ve setup single drive disk in previous step for Cold and will skip Frozen setup as it is identical to Cold.

Attach 2 new empty disks in Azure Portal as outlined above.
Install mdadm tool [wiki]
```
apt-get install mdadm
```
Run command to get the list of attached disks.
```
sudo grep SCSI /var/log/syslog
```
Note last two disks’ identifiers, we will need it for RAID setup command

For RAID 0 setup, issue command

sudo mdadm --create --verbose /dev/md0 --level=stripe --raid-devices=2 /dev/sde /dev/sdd

Now let’s partition just like have done before. Note that our disk identifier is now md0
```
sudo fdisk /dev/md0
```
Use n command for new partition
Use p parameter for primary partition
Accept all default settings for partition number, first cylinder, last cylinder
Review settings using p command
And accept/write them using w command
Create file system on this new partition, make sure you use proper Device Boot value from steps above
```
sudo mkfs -t ext4 /dev/md0p1
```

And we are done! Yo can repeat these steps for any additional disks/drives you would like to use for next step ofSetting up Splunk

Tags: Azure, Cluster, Linux, RAID, Server, Splunk, SSH, Ubuntu, Virtual Server

Comments are now closed for this post.

- @InsideWithPsaki @jrpsaki 😂 communication advise from Psaki Time ago 1 Day via Twitter Web App
Follow @ateterine on twitter.

@ateterine