Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Search head configuration overview

Configuration of the search head in an indexer cluster falls into these categories:

  • Cluster node configuration. The basic configuration of the search head node occurs during initial deployment of the indexer cluster. You can edit the configuration later.
  • Advanced features and topologies. These features, such as mounted bundles, are available to all search heads, whether or not they are participating in an indexer cluster.
  • Combined searches. You can combine searches across multiple clusters or across clustered and non-clustered search peers.

Important: This chapter discusses independent search heads that function as nodes in an indexer cluster. For information on how to incorporate search heads that are members of a search head cluster into an indexer cluster, see "Integrate the search head cluster with an indexer cluster" in the Distributed Search manual. In addition, see the "Configure search head clustering" chapter in the Distributed Search manual.

Cluster node configuration

Basic configuration of a Splunk Enterprise instance as a search head for an indexer cluster occurs when you initially deploy the indexer cluster. You can edit the configuration later.

Perform the initial configuration

You configure and enable the search head at the same time that you enable the other cluster nodes, as described in "Enable the search head". The cluster's set of peer nodes become search peers of the search head. For basic functionality, you do not need to set any other configurations.

Edit the configuration

There are two main reasons for editing the basic search head configuration for a particular cluster:

  • Redirect the search head to another manager node for the same cluster. This can be useful in the case where a manager node fails but you have a stand-by manager for that cluster which you can redirect the search head to. For information on stand-by manager nodes, see "Replace the manager node on the indexer cluster".
  • Change the search head's security key for the cluster. Only change the key if you are also changing it for all other nodes in the cluster. The key must be the same across all instances in a cluster.

To edit the search head's cluster node configuration, use one of these methods:

Configure multisite search heads

For additions and differences when configuring multisite search heads, see "Implement search affinity in a multisite indexer cluster" and "Configure multisite indexer clusters with server.conf".

Advanced features and topologies

To implement some advanced features of distributed search, such as mounted bundles, you must edit distsearch.conf on the search head.

For instructions on how to perform advanced configuration, read the Distributed Search manual. That book focuses on environments with non-clustered indexers, but you configure most advanced search head features in the same way when working with indexer clusters, except as described here.

Search heads running on an indexer cluster compared to search heads running against non-clustered indexers

Most settings and capabilities are the same for search heads running on an indexer cluster and those running against non-clustered indexers.

The main difference is that, for indexer clusters, search heads and search peers are automatically connected to each other as part of the cluster enablement process. You do not perform any configuration in distsearch.conf to enable automatic discovery.

A few attributes in distsearch.conf are not valid for search heads in indexer clusters. A search head in an indexer cluster ignores these attributes:

servers
disabled_servers
heartbeatMcastAddr
heartbeatPort
heartbeatFrequency
ttl
checkTimedOutServersFrequency
autoAddServers

As when running against non-clustered indexers, search head access to search peers is controlled through public key authentication. However, you do not need to distribute the keys manually. The search head in an indexer cluster automatically pushes its public key to the search peers.

Mounted bundles and search peer configurations

Most distsearch.conf settings are valid only for search heads. However, to implement mounted bundles, you need to distribute a small distsearch.conf file to the search peers. For indexer clusters, you should use the manager node to distribute this file to the peers. For information on how to use the manager node to manage peer configurations, read "Update common peer configurations and apps" in this manual. For information on how to configure mounted bundles, read the "Mounted knowledge bundle replication" in the Distributed Search manual.

How the Distributed Search page works with indexer clusters

Do not use the Distributed Search page on Splunk Web to configure a search head in an indexer cluster or to add peers to the cluster. You can, however, use that page to view the list of search peers.

Combined searches

To search across multiple indexer clusters, see "Search across multiple indexer clusters".

To search across both clustered and non-clustered search peers, see see "Search across both clustered and non-clustered search peers".

Last modified on 30 September, 2020
Manage configurations on a peer-by-peer basis   Configure the search head with the dashboard

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters