Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure the search head

You configure and enable the search head at the same time that you enable the other cluster components, as described in "Enable the search head". The cluster's set of peer nodes are automatically designated as search peers of the search head. For basic search-head functionality, you don't need to set any other configurations.

If you want to use some of the more advanced features of distributed search, such as search head pooling or mounted bundles, you must edit distsearch.conf on the search head. For detailed information on search heads, including instructions on how to do advanced configuration, read the Distributed Search manual. That chapter focuses on non-clustered environments, but it also provides correct information for configuring advanced features on clustered search heads.

If you want the search head to search across multiple clusters, you must edit server.conf, as described below in "Configure multi-cluster search".

Differences between clustered and non-clustered search head configuration

Most settings and capabilities are the same for clustered and non-clustered search heads. You edit distsearch.conf to perform advanced configuration.

The main difference is that, for clusters, search heads and search peers are automatically connected to each other as part of the cluster enablement process. You do not perform any configuration in distsearch.conf to enable automatic discovery.

A few other attributes are also not valid for clustered search heads. Specifically, a clustered search head ignores these attributes in distsearch.conf:

servers
disabled_servers
heartbeatMcastAddr
heartbeatPort
heartbeatFrequency
ttl
checkTimedOutServersFrequency
autoAddServers

Note: As in non-clustered environments, search head access to search peers is controlled through public key authentication. However, you do not need to distribute the keys manually. The search head automatically pushes its public key to the search peers.

Distributed search page in Splunk Web

You cannot use the distributed search page on the search head's Splunk Web to configure a clustered search head. You can, however, use that page to view the list of search peers.

Mounted bundles and search peer configurations

Most distsearch.conf settings are only valid for search heads. However, to implement mounted bundles, you also need to distribute a small distsearch.conf file to the search peers. For clusters, you should use the master node to distribute this file to the peers. For information on how to use the master to manage peer configurations, read "Configure the peer nodes" in this manual. For information on how to configure mounted bundles, read "Mount the knowledge bundle" in the Distributed Search Manual.

Configure multi-cluster search

If you have multiple clusters, you can configure a search head to search across all the clusters. You configure this in Splunk Web, through the CLI, or by editing the search head's server.conf file.

In Splunk Web

In Splunk Web, you can configure multi-cluster search from the search head dashboard. See "View the search head dashboard" for more information.

Through the CLI

In the CLI, you can configure multi-cluster search with these commands:

splunk add master <master_uri:port>
splunk edit master <master_uri:port>
splunk remove master <master_uri:port>
splunk list master

For more information on any command, see its CLI help.

By editing server.conf

You can configure multi-cluster search in the search head's server.conf file by specifying a comma-separated list of master node references in the master_uri attribute, followed by individual stanzas for each master. For example:

[clustering]
mode = searchhead
master_uri = clustermaster:east, clustermaster:west

[clustermaster:east]
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret

[clustermaster:west]
master_uri=https://SplunkMaster02.example.com:8089

In this example, the search head will use the pass4SymmKey "someSecret" when communicating with SplunkMaster01 and no pass4SymmKey when communicating with SplunkMaster02.

After you edit server.conf, you must reload the search head for the changes to take effect.

For details on configuring multi-cluster search, see the server.conf specification file. You can learn more about using server.conf to configure clusters by reading the topic "Configure the cluster with server.conf".

Search across both clustered and non-clustered search peers

You can search across both clustered and non-clustered search peers. To configure this:

1. Set up a clustered search head in the standard fashion, as described in "Enable the search head".

2. Use Splunk Web or the CLI to add one or more non-clustered search peers, as described in "Add search peers" in the Distributed Search Manual.

3. Restart the search head.

Important: You must specify the non-clustered search peers through either Splunk Web or the CLI. Due to authentication issues, you cannot specify the search peers by directly editing distsearch.conf. When you add a search peer with Splunk Web or the CLI, Splunk prompts you for public key credentials. It has no way of obtaining those credentials when you add a search peer by directly editing distsearch.conf. For more information on public keys and distributed search, read "Add search peers" in the Distributed Search Manual.

Note: The use of search head pooling in this scenario is not supported.

Warning: An indexer can be either a cluster peer (in which case, it is automatically a search peer for that cluster's search head) or a non-clustered search peer, with an entry in distsearch.conf. It cannot be both. If you mistakenly configure an indexer as both a cluster peer and a non-clustered search peer, the search head's Distributed Search page will contain two entries for the peer, and the status for one entry will read, "Peer member of cluster and distsearch.conf". To remediate, disable or delete the entry for that peer in distsearch.conf.

PREVIOUS
Configure the peer indexes
  NEXT
Configure the cluster with server.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters