Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Indexer cluster search head configuration overview

Search head configuration falls into these categories:

  • Cluster node configuration. The basic configuration of the cluster node occurs during initial cluster deployment. You can edit the configuration later.
  • Combined searches. You can combine searches across multiple clusters or across clustered and non-clustered search peers.

Cluster node configuration

Basic configuration of a Splunk Enterprise instance as a search head cluster node occurs when you initially deploy the cluster. You can edit the configuration later.

Perform the initial configuration

You configure and enable the search head at the same time that you enable the other cluster nodes, as described in "Enable the indexer cluster search head". The cluster's set of peer nodes become search peers of the search head. For basic functionality, you do not need to set any other configurations.

Edit the configuration

There are two main reasons for editing the basic search head configuration for a particular cluster:

  • Redirect the search head to another master for the same cluster. This can be useful in the case where a master fails but you have a stand-by master for that cluster which you can redirect the search head to. For information on stand-by masters, see "Replace the master node on the indexer cluster".
  • Change the search head's secret key for the cluster. Only change the secret key if you are also changing it for all other nodes in the cluster. The key must be the same across all instances in a cluster.

To edit the search head's cluster node configuration, use one of these methods:

Configure multisite search heads

For additions and differences when configuring multisite search heads, see "Implement multisite search affinity" and "Configure multisite indexer clusters with server.conf".

Advanced features and topologies

To implement some advanced features of distributed search, such as mounted bundles, you must edit distsearch.conf on the search head.

For instructions on how to perform advanced configuration, read the Distributed Search manual. That book focuses on environments with non-clustered indexers, but you configure advanced features on search heads associated with indexer clusters in the same way, aside from a few differences described here.

Search heads running on an indexer cluster compared to search heads running against non-clustered indexers

Most settings and capabilities are the same for search heads running on an indexer cluster and those running against non-clustered indexers.

The main difference is that, for indexer clusters, search heads and search peers are automatically connected to each other as part of the cluster enablement process. You do not perform any configuration in distsearch.conf to enable automatic discovery.

A few attributes in distsearch.conf are not valid for search heads in indexer clusters. A search head in an indexer cluster ignores these attributes:

servers
disabled_servers
heartbeatMcastAddr
heartbeatPort
heartbeatFrequency
ttl
checkTimedOutServersFrequency
autoAddServers

As when running against non-clustered indexers, search head access to search peers is controlled through public key authentication. However, you do not need to distribute the keys manually. The search head in an indexer cluster automatically pushes its public key to the search peers.

Mounted bundles and search peer configurations

Most distsearch.conf settings are valid only for search heads. However, to implement mounted bundles, you need to distribute a small distsearch.conf file to the search peers. For indexer clusters, you should use the master node to distribute this file to the peers. For information on how to use the master to manage peer configurations, read "Update common indexer cluster peer configurations and apps" in this manual. For information on how to configure mounted bundles, read the "Mount the knowledge bundle" chapter in the Distributed Search manual.

How the Distributed Search page works with indexer clusters

Do not use the Distributed Search page on the search head's Splunk Web to configure a search head in an indexer cluster. You can, however, use that page to view the list of search peers.

Combined searches

To search across multiple clusters, see "Configure multi-indexer-cluster search".

To search across both clustered and non-clustered search peers, see "Search across both clustered and non-clustered search peers".

PREVIOUS
Manage configurations on a peer-by-peer basis
  NEXT
Configure the cluster search head with the dashboard

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters