Splunk® Enterprise

Distributed Search

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Remove a search peer

You can remove a search peer from a search head through Splunk Web or the CLI. As you might expect, doing so merely removes the search head's knowledge of that search peer; it does not affect the peer itself.

Remove a search peer via Splunk Web

You can remove a search peer from a search head through the Distributed search page on the search head's Splunk Web.

Note: This only removes the search peer entry from the search head; it does not remove the search head key from the search peer. In most cases, this is not a problem and no further action is needed.

Remove a search peer via the CLI

On the search head, run the splunk remove search-server command to remove a search peer from the search head.

Note the following:

  • Use the -auth flag to provide credentials for the search head only.
  • Use the -url flag to specify the peer's location and splunkd management port. By default, the management port is 8089, although it might be different for your deployment.

This example removes the search peer

splunk remove search-server -auth admin:password -url

A message indicating success appears after the peer is removed.

Disable the trust relationship

As an additional step, you can disable the trust relationship between the search peer and the search head. To do this, delete the trusted.pem file from $SPLUNK_HOME/etc/auth/distServerKeys/<searchhead_name> on the search peer.

Note: The <searchhead_name> is the search head's serverName, as described in "Manage distributed server names".

This step is usually unnecessary.

Create distributed search groups
About search head clustering

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13


Daniel333: <br /><br />First, follow the instructions in the current topic, to remove the indexer from the search head's list of peers. <br /><br />Next, see this topic for information on migrating data to another Splunk instance: <br /><br />http://docs.splunk.com/Documentation/Splunk/latest/Installation/MigrateaSplunkinstance<br /><br />Finally, you will presumably want to make the second Splunk instance a search peer of the same search head, if it's not already one. This topic describes how to do so:<br /><br />http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Configuredistributedsearch

November 26, 2013

Is there a guide to decommissioning an indexer/search peer? So that the data is safely moved to another indexer?

November 25, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters