Siren Platform User Guide

Using Siren Investigate with tribe nodes

Note

While tribe nodes have been deprecated in Elasticsearch in favor of Cross cluster search, you can still use Siren Investigate with tribe nodes until Elasticsearch version 7.0. Unlike tribe nodes, using cross cluster search in Siren Investigate requires no server-side configurations and does not switch off functionality like Console.

Siren Investigate can be configured to connect to a tribe node for data retrieval. Because tribe nodes cannot create indices, Siren Investigate additionally requires a separate connection to a node to maintain state. When configured, searches and visualizations will retrieve data using the tribe node and administrative actions (such as saving a dashboard) will be sent to non-tribe node.

Configuring Siren Investigate for tribe nodes

Tribe nodes take all of the same configuration options used when configuring Elasticsearch in investigate.yml. Tribe options are prefixed with elasticsearch.tribe and at a minimum requires a URL:

elasticsearch.url: "<your_administration_node>"
elasticsearch.tribe.url: "<your_tribe_node>"

When configured to use a tribe node, actions that modify Siren Investigate’s state will be sent to the node at elasticsearch.url. Searches and visualizations will retrieve data from the node at elasticsearch.tribe.url. It’s acceptable to use a node for elasticsearch.url that is part of one of the clusters that a tribe node is pointing to.

The full list of configurations can be found at Configuring Kibana.

Limitations

Due to the ambiguity of which cluster is being used, certain features are switched off in Siren Investigate:

  • Console
  • Managing users and roles with the x-pack plugin