Remove a cluster member
To remove a member from a cluster, run the splunk remove shcluster-member command on any cluster member.
Important: You must use the procedure documented here to remove a member from the cluster. Do not just stop the member.
To disable a member so that you can then re-use the instance, you must also run the splunk disable shcluster-config command.
To rejoin the member to the cluster later, see Add a member that was previously removed from the cluster. The exact procedure depends on whether you merely removed the member from the cluster or both removed and disabled the member.
Remove the member
Caution: Do not stop the member before removing it from the cluster.
1. Remove the member.
To run the splunk remove command on the member that you are removing, use this version:
splunk remove shcluster-member
To run the splunk remove command from another member, use this version:
splunk remove shcluster-member -mgmt_uri <URI>:<management_port>
Note the following:
mgmt_uriis the management URI of the member being removed from the cluster.
2. Stop the member.
After removing the member, wait about two minutes for configurations to be updated across the cluster, and then stop the instance:
splunk stop
By stopping the instance, you prevent error messages about the removed member from appearing on the captain.
By removing the instance from the search head cluster, you automatically remove it from the KV store. To confirm that this instance has been removed from the KV store, run splunk show kvstore-status on any remaining cluster member. The instance should not appear in the set of results. If it does appear, there might be problems with the health of your search head cluster.
Remove a member that's already down
If a member has failed and is already down, you can remove it from the cluster by running the splunk remove shcluster-member command from another member that is still running in the cluster:
splunk remove shcluster-member -mgmt_uri <URI>:<management_port>
Note the following:
mgmt_uriis the management URI of the downed member being removed from the cluster.
Remove and disable the member
If you intend to keep the instance alive for use in some other capacity, you must disable it after you remove it:
Caution: Do not stop the member first.
1. Remove the member:
splunk remove shcluster-member
2. Disable the member:
splunk disable shcluster-config
3. Stop the member:
splunk stop
4. Clean the KVStore:
splunk clean kvstore --cluster
To complete the process, a rolling restart of the cluster might be required in some cases, such as kvstore migration.
| Add a cluster member | Configure a cluster member to run ad hoc searches only |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!