Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure the indexer cluster with server.conf

Before reading this topic, see "About configuration files" and the topics that follow it in the Admin Manual. Those topics explain how Splunk Enterprise uses configuration files.

Indexer cluster settings reside in the server.conf file, located in $SPLUNK_HOME/etc/system/local/. When you deploy a cluster node through Splunk Web or the CLI, the node saves the settings to that file. You can also edit server.conf file directly, either to deploy initially or to change settings later.

The main server.conf stanza that controls indexer clustering is [clustering]. Besides the basic attributes that correspond to settings in Splunk Web, server.conf provides a number of advanced settings that control communication between cluster nodes. Unless advised by Splunk Support, do not change those settings.

This topic discusses some issues that are common to all node types. For specific instructions for each node type, see:

For details on all the clustering attributes, including the advanced ones, read the server.conf specification.

For multisite cluster configurations, also read "Configure multisite indexer clusters with server.conf".

Example configuration

Here is an example master node configuration:

mode = master
replication_factor = 4
search_factor = 3
pass4SymmKey = whatever

This example specifies that:

  • the instance is a cluster master node.
  • the cluster's replication factor is 4.
  • the cluster's search factor is 3.
  • the secret key is "whatever".

Peer node and search head configuration are similar.

Configure the secret key

You can optionally set the pass4SymmKey attribute to configure a secret key that authenticates communication between the master, peers and, search heads. If you set it for one cluster node, you must also give it the same value for all other cluster nodes.

You must set the key inside the [clustering] stanza for indexer clustering. You can also set pass4SymmKey in the [general] stanza for licensing.

Important: You should save a copy of the key in a safe place. Once an instance starts running, the secret key changes from clear text to encrypted form, and it is no longer recoverable from server.conf. If you later want to add a new node, you will need to use the clear text version to set the key.

For information on setting the security key for a combined search head cluster and indexer cluster, see "Deploy a search head cluster" in the Distributed Search manual.

Restart after modifying server.conf?

After you configure an instance as a cluster node for the first time, you need to restart it for the change to take effect.

If you make a configuration change later on, you might not need to restart the instance, depending on the type of change. Avoid restarting peers when possible. Restarting the set of peers can result in prolonged amounts of bucket-fixing.

Initial configuration

After initially configuring instances as cluster nodes, you need to restart all of them (master, peers, and search head) for the changes to take effect. You can do this by invoking the CLI restart command on each node:

$SPLUNK_HOME/bin/splunk restart

When the master starts up for the first time, it blocks indexing on the peers until you enable and restart the replication factor number of peers. Do not restart the master while it is waiting for the peers to join the cluster. If you do, you will need to restart the peers a second time.

Important: Although you can use the CLI restart command when you initially enable an instance as a cluster peer node, do not use it for subsequent restarts. The restart command is not compatible with index replication once replication has begun. For more information, including a discussion of safe restart methods, read "Restart a single peer".

Subsequent configuration changes

If you change any of the following attributes in the server.conf file, you do not need to restart the node.

On a peer node or search head:

  • master_uri

On a master node:

  • quiet_period
  • heartbeat_timeout
  • restart_timeout
  • max_peer_build_load
  • max_peer_rep_load
  • access_logging_for_heartbeats
  • use_batch_mask_changes
  • percent_peers_to_restart

All other cluster-related configuration changes require a restart.

Configure the indexer cluster with the dashboards
Configure and manage the indexer cluster with the CLI

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters