Configure the search head
You configure and enable the search head at the same time that you enable the other cluster components, as described in "Enable the search head". The cluster's set of peer nodes are automatically designated as search peers of the search head.
For basic functionality, you can go with the default configuration that occurs during the enablement process. If you want the search head to search across multiple clusters, however, you must directly edit
server.conf, as described below.
In addition, if you want to use some of the more advanced features of distributed search, such as search head pooling or mounted bundles, you must edit
distsearch.conf on the search head. For detailed information on search heads, including instructions on how to do advanced configuration, read the chapter "Search across multiple indexers" in the Distributed Deployment Manual. That chapter focuses on non-clustered environments, but it also provides correct information for configuring advanced features on clustered search heads.
Configure multi-cluster search
If you have multiple clusters, you can configure a search head to search across all the clusters. You configure this in the search head's
server.conf file by specifying a comma-separated list of master node references in the
master_uri attribute, followed by individual stanzas for each master. For example:
[clustering] mode = searchhead master_uri = clustermaster:east, clustermaster:west [clustermaster:east] master_uri=https://SplunkMaster01.example.com:8089 pass4SymmKey=someSecret [clustermaster:west] master_uri=https://SplunkMaster02.example.com:8089
In this example, the search head will use the
pass4SymmKey "someSecret" when communicating with SplunkMaster01 and no
pass4SymmKey when communicating with SplunkMaster02.
After you edit
server.conf, you must restart the search head for the changes to take effect.
For details on configuring multi-cluster search, see the server.conf specification file. You can learn more about using
server.conf to configure clusters by reading the topic "Configure the cluster with server.conf".
Note: You must perform this configuration directly in
server.conf. You cannot configure multi-cluster search through Manager or the CLI.
Differences between clustered and non-clustered search head configuration
Most settings and capabilities are the same for clustered and non-clustered search heads. You edit
distsearch.conf to perform advanced configuration.
The main difference is that, for clusters, search heads and search peers are automatically connected to each other as part of the cluster enablement process. You do not perform any configuration in
distsearch.conf to enable automatic discovery.
A few other attributes are also not valid for clustered search heads. Specifically, a clustered search head ignores these attributes in
servers disabled_servers heartbeatMcastAddr heartbeatPort heartbeatFrequency ttl checkTimedOutServersFrequency removedTimedOutServers autoAddServers
Note: As in non-clustered environments, search head access to search peers is controlled through public key authentication. However, you do not need to distribute the keys manually. The search head automatically pushes its public key to the search peers.
Distributed search Manager page
You cannot use the distributed search page in Manager to configure a clustered search head. You can, however, go to that page on the search head to view the list of all the search peers.
Mounted bundles and search peer configurations
distsearch.conf settings are only valid for search heads. However, to implement mounted bundles, you also need to distribute a small
distsearch.conf file to the search peers. For clusters, you should use the master node to distribute this file to the peers. For information on how to use the master to manage peer configurations, read "Configure the peer nodes" in this manual. For information on how to configure mounted bundles, read "Mount the knowledge bundle" in the Distributed Deployment Manual.
Configure the peer indexes
Configure the cluster with server.conf
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18