Enable the search head
Before reading this topic, read "Deployment overview".
To search the cluster, you need to enable at least one cluster search head.
Before enabling the search head, you must enable and restart the master node, as described in "Enable the master node".
Note: The procedure in this topic explains how to use Manager to enable a search head. You can also enable a search head in two other ways:
- Directly edit the search head's
server.conffile. See "Configure the cluster with server.conf" for details. Some advanced settings, including multi-cluster search, can only be configured by editing this file.
- Use the CLI
edit cluster-configcommand. See "Configure the cluster with the CLI" for details.
Enable the search head
To enable a Splunk instance as a cluster search head:
1. Click Manager in Splunk Web.
2. In the Distributed Environment group, click Clustering.
3. Select Enable clustering.
4. Select Make this instance a search head.
5. There are two fields to fill out:
- What is the location of the cluster master? Enter the IP address or domain name for the master, along with its management port. For example:
- Secret key. This is the key that authenticates communication between the master and the peers and search heads. The key must be the same across all cluster instances. If the master has a secret key, you must enter it here.
6. Click Save.
7. On the information bar at the top of the page, look for this message: "Splunk must be restarted for changes to take effect. Click here to restart from the Manager." Click the link to go to the Manager page where you can initiate the restart.
View the search head dashboard
After the restart, log back into the search head and return to the Clustering page in Manager. This time, you see the search head's clustering dashboard. See "View the search head dashboard" for more information.
Enable multi-cluster search
A search head can search across multiple clusters. To enable this functionality, you must edit
server.conf directly, as described in "Configure multi-cluster search".
Set up more search heads
You can set up multiple search heads to accommodate more simultaneous searches. For information on how to determine your search head needs, see "Hardware capacity planning for a distributed Splunk deployment" in the Distributed Deployment Manual.
If you want to set up more search heads, just repeat the enablement procedure for additional instances. If you want to pool the search heads so that they share configuration and user data, see the additional configuration instructions in the topic "Configure search head pooling" in the Distributed Deployment Manual.
Perform additional configuration
For more information on clustered search head configuration, read "Configure the search head" in this manual.
Enable the peer nodes
Best practice: Forward master node data to the indexer layer
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18