Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure the search head

You configure and enable the search head at the same time that you enable the other cluster components, as described in "Enable the search head". The cluster's set of peer nodes are automatically designated as search peers of the search head.

For basic functionality, you can go with the default configuration that occurs during the enablement process. If you want the search head to search across multiple clusters, however, you must directly edit server.conf, as described below.

In addition, if you want to use some of the more advanced features of distributed search, such as search head pooling or mounted bundles, you must edit distsearch.conf on the search head. For detailed information on search heads, including instructions on how to do advanced configuration, read the chapter "Search across multiple indexers" in the Distributed Deployment Manual. That chapter focuses on non-clustered environments, but it also provides correct information for configuring advanced features on clustered search heads.

Configure multi-cluster search

If you have multiple clusters, you can configure a search head to search across all the clusters. You configure this in the search head's server.conf file by specifying a comma-separated list of master node references in the master_uri attribute, followed by individual stanzas for each master. For example:

[clustering]
mode = searchhead
master_uri = clustermaster:east, clustermaster:west

[clustermaster:east]
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret

[clustermaster:west]
master_uri=https://SplunkMaster02.example.com:8089

In this example, the search head will use the pass4SymmKey "someSecret" when communicating with SplunkMaster01 and no pass4SymmKey when communicating with SplunkMaster02.

After you edit server.conf, you must restart the search head for the changes to take effect.

For details on configuring multi-cluster search, see the server.conf specification file. You can learn more about using server.conf to configure clusters by reading the topic "Configure the cluster with server.conf".

Note: You must perform this configuration directly in server.conf. You cannot configure multi-cluster search through Manager or the CLI.

Differences between clustered and non-clustered search head configuration

Most settings and capabilities are the same for clustered and non-clustered search heads. You edit distsearch.conf to perform advanced configuration.

The main difference is that, for clusters, search heads and search peers are automatically connected to each other as part of the cluster enablement process. You do not perform any configuration in distsearch.conf to enable automatic discovery.

A few other attributes are also not valid for clustered search heads. Specifically, a clustered search head ignores these attributes in distsearch.conf:

servers
disabled_servers
heartbeatMcastAddr
heartbeatPort
heartbeatFrequency
ttl
checkTimedOutServersFrequency
removedTimedOutServers
autoAddServers

Note: As in non-clustered environments, search head access to search peers is controlled through public key authentication. However, you do not need to distribute the keys manually. The search head automatically pushes its public key to the search peers.

Distributed search Manager page

You cannot use the distributed search page in Manager to configure a clustered search head. You can, however, go to that page on the search head to view the list of all the search peers.

Mounted bundles and search peer configurations

Most distsearch.conf settings are only valid for search heads. However, to implement mounted bundles, you also need to distribute a small distsearch.conf file to the search peers. For clusters, you should use the master node to distribute this file to the peers. For information on how to use the master to manage peer configurations, read "Configure the peer nodes" in this manual. For information on how to configure mounted bundles, read "Mount the knowledge bundle" in the Distributed Deployment Manual.

PREVIOUS
Configure the peer indexes
  NEXT
Configure the cluster with server.conf

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters