Splunk® Enterprise

Distributed Search

Download manual as PDF

Download topic as PDF

Integrate the search head cluster with an indexer cluster

To integrate a search head cluster with an indexer cluster, configure each member of the search head cluster as a search head on the indexer cluster. Once you do that, the search heads get their list of search peers from the master node of the indexer cluster.

You can integrate search head clusters with either single-site or multisite indexer clusters.

In this diagram, a search head cluster performs searches across a single-site indexer cluster:

SH cluster with Indexer Cluster.png

Integrate with a single-site indexer cluster

Configure each search head cluster member as a search head on the indexer cluster. Use the CLI splunk edit cluster-config command. For example:

splunk edit cluster-config -mode searchhead -master_uri https://10.152.31.202:8089 -secret newsecret123 

splunk restart

You must run this CLI command on each member of the search head cluster.

This example specifies:

  • The instance is a search head in an indexer cluster.
  • The master node of the indexer cluster resides at 10.152.31.202:8089.
  • The secret key is "newsecret123".

The secret key that you set here is the indexer cluster secret key (which is stored in pass4SymmKey under the [clustering] stanza of server.conf), not the search head cluster secret key (which is stored in pass4SymmKey under the [shclustering] stanza of server.conf).

For a search head cluster to serve as the search tier of an indexer cluster, you must set both types of keys on each of the search head cluster members, because the members are serving both as nodes of the indexer cluster and as members of the search head cluster. Presumably, if you have already set up the search head cluster, you have set the search head cluster key before you get to this step.

Each key type must be identical on all nodes of its respective cluster. That is, the indexer cluster key must be identical on all nodes of the indexer cluster, while the search head cluster key must be identical on all search cluster members. It is recommended, however, that the indexer cluster key be different from the search head cluster key.

This is all you need for the basic configuration. The search heads now run their searches against the peer nodes in the indexer cluster.

Integrate with a multisite indexer cluster

In a multisite indexer cluster, each search head and indexer has an assigned site. Multisite indexer clustering promotes disaster recovery, because data is allocated across multiple sites. For example, you might configure two sites, one in Boston and another in New York. If one site fails, the data remains accessible through the other site. See Multisite indexer clusters in Managing Indexers and Clusters of Indexers.

Note: Although a search head cluster can participate in a multisite indexer cluster, the search head cluster itself does not have site awareness. See Deploy a search head cluster in a multisite environment.

Configure members

To integrate search head cluster members with a multisite indexer cluster, configure each member as a search head on the indexer cluster, as in the single-site example. See Integrate with a single-site indexer.

The only difference from a single-site indexer cluster is that you must also specify the site for each member. This should ordinarily be "site0", so that all search heads in the cluster perform their searches across the same set of indexers. For example:

splunk edit cluster-config -mode searchhead -site site0 -master_uri https://10.152.31.202:8089 -secret newsecret123 

splunk restart

Migrate members from a single-site indexer cluster to a multisite indexer cluster

If the search head cluster members are already integrated into a single-site indexer cluster and you want to migrate that cluster to multisite, you must edit each search head's configuration to identify its site.

On each search head, specify its master node and its site. For example:

splunk edit cluster-master https://10.160.31.200:8089 -site site0

For complete details on migrating a single-site indexer cluster to multisite, see Migrate an indexer cluster from single-site to multisite in Managing Indexers and Clusters of Indexers.

For more information

For more information on configuration of search heads on indexer clusters, see the chapter Configure the search head in the Managing Indexers and Clusters of Indexers manual. That chapter also includes configuration for more complex scenarios, such as hybrid searching, where the search heads search across both indexer clusters and non-clustered indexers.

PREVIOUS
Deploy a search head cluster
  NEXT
Connect the search heads in clusters to search peers

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0


Comments

Mattlucas719 - You do, in fact, need to set the indexer clustering secret key (pass4SymmKey under the [clustering] stanza) to be identical across all nodes of an indexer cluster, including the search head nodes. So, when a search head cluster is serving as the search tier for an indexer cluster, you must configure its members to use the indexer cluster's secret key, as the text in this topic explains. The CLI command provided above accomplishes that goal.

However, the search head cluster has its own set of internal communications that also need to be protected by a secret key. This secret resides under the [shclustering], not the [clustering], stanza. That secret can (and, as you suggest, should) be different from the secret used for the indexer clustering communications .I think that these dual requirements might have caused the confusion expressed in your comment.

I will add some material to this topic to clarify the need to configure two types of secret keys.

Sgoodman, Splunker
October 4, 2017

The secret key is "newsecret123". You must use the same secret key across all nodes in both the indexer cluster and the search head cluster.
^ that is incorrect, the pass4symmkey can be different on the indexer cluster and the search head cluster and will work fine. In fact there can be security arguments for them to be different.

-master_uri https://10.152.31.202:8089
^ this is the cluster master URI and can be DNS or IP here.

The secret is simply used to authenticate against the cluster master and the rest of the peers.

Mattlucas719
March 24, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters