Indexer cluster search head configuration overview
Search head configuration falls into these categories:
- Cluster node configuration. The basic configuration of the cluster node occurs during initial cluster deployment. You can edit the configuration later.
- Advanced features and topologies. These features, such as mounted bundles, are available to all search heads, clustered or not.
- Combined searches. You can combine searches across multiple clusters or across clustered and non-clustered search peers.
Cluster node configuration
Basic configuration of a Splunk Enterprise instance as a search head cluster node occurs when you initially deploy the cluster. You can edit the configuration later.
Perform the initial configuration
You configure and enable the search head at the same time that you enable the other cluster nodes, as described in "Enable the indexer cluster search head". The cluster's set of peer nodes become search peers of the search head. For basic functionality, you do not need to set any other configurations.
Edit the configuration
There are two main reasons for editing the basic search head configuration for a particular cluster:
- Redirect the search head to another master for the same cluster. This can be useful in the case where a master fails but you have a stand-by master for that cluster which you can redirect the search head to. For information on stand-by masters, see "Replace the master node on the indexer cluster".
- Change the search head's secret key for the cluster. Only change the secret key if you are also changing it for all other nodes in the cluster. The key must be the same across all instances in a cluster.
To edit the search head's cluster node configuration, use one of these methods:
- Edit the configuration from the search head node dashboard in Splunk Web. See "Configure the indexer cluster search head with the dashboard".
- Edit the search head's
server.conffile. See "Configure the indexer cluster search head with server.conf".
- Use the CLI. See "Configure the indexer cluster search head with the CLI".
Configure multisite search heads
For additions and differences when configuring multisite search heads, see "Implement multisite search affinity" and "Configure multisite indexer clusters with server.conf".
Advanced features and topologies
To implement some advanced features of distributed search, such as mounted bundles, you must edit
distsearch.conf on the search head.
For instructions on how to perform advanced configuration, read the Distributed Search manual. That book focuses on environments with non-clustered indexers, but you configure advanced features on search heads associated with indexer clusters in the same way, aside from a few differences described here.
Search heads running on an indexer cluster compared to search heads running against non-clustered indexers
Most settings and capabilities are the same for search heads running on an indexer cluster and those running against non-clustered indexers.
The main difference is that, for indexer clusters, search heads and search peers are automatically connected to each other as part of the cluster enablement process. You do not perform any configuration in
distsearch.conf to enable automatic discovery.
A few attributes in
distsearch.conf are not valid for search heads in indexer clusters. A search head in an indexer cluster ignores these attributes:
servers disabled_servers heartbeatMcastAddr heartbeatPort heartbeatFrequency ttl checkTimedOutServersFrequency autoAddServers
As when running against non-clustered indexers, search head access to search peers is controlled through public key authentication. However, you do not need to distribute the keys manually. The search head in an indexer cluster automatically pushes its public key to the search peers.
Mounted bundles and search peer configurations
distsearch.conf settings are valid only for search heads. However, to implement mounted bundles, you need to distribute a small
distsearch.conf file to the search peers. For indexer clusters, you should use the master node to distribute this file to the peers. For information on how to use the master to manage peer configurations, read "Update common indexer cluster peer configurations and apps" in this manual. For information on how to configure mounted bundles, read the "Mount the knowledge bundle" chapter in the Distributed Search manual.
How the Distributed Search page works with indexer clusters
Do not use the Distributed Search page on the search head's Splunk Web to configure a search head in an indexer cluster. You can, however, use that page to view the list of search peers.
To search across multiple clusters, see "Configure multi-indexer-cluster search".
To search across both clustered and non-clustered search peers, see "Search across both clustered and non-clustered search peers".
Manage configurations on a peer-by-peer basis
Configure the cluster search head with the dashboard
This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14