Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Enable the master node

Before reading this topic, read "Deployment overview".

A cluster has one, and only one, master node. The master node coordinates the activities of the peer nodes. It does not itself store or replicate data (aside from its own internal data).

Important: A master node cannot do double duty as a peer node. The Splunk instance that you enable as master node must perform only that single role. In addition, the master cannot share a machine with a peer.

You must enable the master node as the first step in deploying a cluster, before setting up the peer nodes.

Note: The procedure in this topic explains how to use Manager to enable a master node. You can also enable a master in two other ways:

Enable the master

To enable an indexer as the master node:

1. Click Manager in Splunk Web.

2. In the Distributed Environment group, click Clustering.

3. Select Enable clustering.

4. Select Make this instance a cluster master.

5. There are a few fields to fill out:

  • How many copies of each bucket are made? This is the replication factor for the cluster. The default is 3. For more information on the replication factor, see "Replication factor". Choose the right replication factor now. It is inadvisable to increase the replication factor later, once the cluster has significant amounts of data.
  • What's the heartbeat timeout of an indexer? The default value is 60 seconds, and you should not change this value without first consulting Splunk Support. If the master doesn't hear from a peer within the heartbeat timeout period, it considers the peer to be down and begins remedial action. Peers normally send a heartbeat to the master every second.
  • How many searchable copies of each bucket are made? This is the search factor for the cluster. The default is 2. For more information on the search factor, see "Search factor". Choose the right search factor now. It is highly inadvisable to increase the search factor later, once the cluster has significant amounts of data.
  • Secret key. This is the key that authenticates communication between the master and the peers and search heads. The key must be the same across all cluster instances. If you leave the field empty here, leave it empty on the peers and search heads as well.

6. Click Save.

7. On the information bar at the top of the page, look for this message: "Splunk must be restarted for changes to take effect. Click here to restart from the Manager." Click the link to go to the Manager page where you can initiate the restart.

Important: When the master starts up for the first time, it will block indexing on the peers until you have enabled and restarted the full replication factor number of peers.

To learn about advanced configuration of the master node, read "Configure the master".

View the master dashboard

After the restart, log back into the master and return to the Clustering page in Manager. This time, you see the master clustering dashboard. For information on the dashboard, see "View the master dashboard".

Perform additional configuration

For information on post-deployment master node configuration, read "Configure the master" in this manual.

System requirements and other deployment considerations
Enable the peer nodes

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters