
Remove a search peer
You can remove a search peer from a search head through Splunk Web or the CLI. As you might expect, doing so merely removes the search head's knowledge of that search peer; it does not affect the peer itself.
Remove a search peer via Splunk Web
You can remove a search peer from a search head through the Distributed search page on the search head's Splunk Web.
Note: This only removes the search peer entry from the search head; it does not remove the search head key from the search peer. In most cases, this is not a problem and no further action is needed.
Remove a search peer via the CLI
On the search head, run the splunk remove search-server
command to remove a search peer from the search head.
Note the following:
- Use the
-auth
flag to provide credentials for the search head only. - Use the
-url
flag to specify the peer's location andsplunkd
management port. By default, the management port is8089
, although it might be different for your deployment.
This example removes the search peer 10.10.10.10:8089
:
splunk remove search-server -auth admin:password -url 10.10.10.10:8089
A message indicating success appears after the peer is removed.
Disable the trust relationship
As an additional step, you can disable the trust relationship between the search peer and the search head. To do this, delete the trusted.pem
file from $SPLUNK_HOME/etc/auth/distServerKeys/<searchhead_name>
on the search peer.
Note: The <searchhead_name>
is the search head's serverName
, as described in "Manage distributed server names".
This step is usually unnecessary.
PREVIOUS Create distributed search groups |
NEXT About search head clustering |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13
Feedback submitted, thanks!