distsearch.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
distsearch.conf
Use distsearch.conf to configure distributed search.
distsearch.conf.spec
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attributes and values you can use to configure distributed search.
#
# There is NO DEFAULT distsearch.conf.
#
# To set custom configurations, place a distsearch.conf in $SPLUNK_HOME/etc/system/local/.
# For examples, see distsearch.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[distributedSearch]
* Set distributed search configuration options under this stanza name.
* Follow this stanza name with any number of the following attribute/value pairs.
* If you do not set any attribute, Splunk uses the default value (if there is one listed).
disabled = <true | false>
* Toggle distributed search off and on.
* Defaults to false (your distributed search stanza is enabled by default).
heartbeatFrequency = <in seconds>
* Heartbeat in seconds.
* 0 disables all heartbeats.
* If the heartbeat is disabled, no other Splunk server is able to auto-discover this instance.
* Defaults to 2.
heartbeatMcastAddr = <IP address>
* Set a multicast address.
* Defaults to 255.0.0.37.
heartbeatPort = <port>
* Set heartbeat port.
* Defaults to 60.
serverTimeout = <in seconds>
* How long to wait for a connection to a server.
* If a connection occurs, a search times out in 10x this value.
* For example, if set to 10 seconds, the maximum search allowed is 100 seconds.
* This setting works in tandem with 'removeTimedOutPeers.'
* Defaults to 10.
statusTimeout = <in seconds>
* Set how long to wait for a server to return its status.
* Up this number if your peered servers are slow or if the server name disappears from the
SplunkWeb widget.
removedTimedOutServers = <true | false>
* If true, remove a server connection that cannot be made within 'serverTimeout.'
* If false, every call to that server attempts to connect.
* NOTE: This may result in a slow user interface.
checkTimedOutServersFrequency = <in seconds>
* This tag is ONLY relevant if 'removeTimedOutServers' is set to true.
* If 'removeTimedOutServers' is false, this attribute is ignored.
* Rechecks servers at this frequency (in seconds).
* If this is set to 0, then no recheck will occur.
* Defaults to 60.
autoAddServers = [True | False]
* If this tag is set to 'true', this node will automatically add all discovered servers.
skipOurselves = [True | False]
* If this is set to 'true', then this server will NOT participate as a server in any search or
other call.
* This is used for building a node that does nothing but merge the results from other servers.
* Defaults to 'false.'
ttl = <integer>
* Time To Live.
* Increasing this number allows the UDP multicast packets to spread beyond the current subnet
to the specified number of hops.
* NOTE: This only will work if routers along the way are configured to pass UDP multicast packets.
* Defaults to 1 (this subnet).
servers =
* Initial list of servers.
* If operating completely in 'autoAddServers' mode (discovering all servers), there is no need
to have any servers listed here.
blacklistNames =
* List of server names that you do not want to peer with. <CA>
* Server names are the 'server name' that is created for you at startup time.
blacklistURLs =
* Comma-delimited lists of blacklisted discovered servers.
* You can black list on server name (above) or server URI (x.x.x.x:port).
distsearch.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0 # # This is an example distsearch.conf. Use this file to configure distributed search. For all # available attribute/value pairs, see distsearch.conf.spec. # # There is NO DEFAULT distsearch.conf. # # To use one or more of these configurations, copy the configuration block into distsearch.conf # in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork. [distributedSearch] heartbeatFrequency = 10 servers = 192.168.1.1:8059,192.168.1.2:8059 blacklistNames = the-others,them blacklistURLs = 192.168.1.3:8059,192.168.1.4:8059 # This entry distributes searches to 192.168.1.1:8059,192.168.1.2:8059. # The server sends a heartbeat every 10 seconds. # There are four blacklisted instances, listed across blacklistNames and blacklistURLs. # Attributes not set here will use the defaults listed in distsearch.conf.spec.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.