Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Search across multiple indexer clusters

You can configure a search head to search across multiple indexer clusters. The method you use depends on whether the clusters are single-site or multisite.

Configure multi-cluster search for single-site indexer clusters

To configure multi-cluster search:

1. Configure the search head for one of the clusters in the usual way, as described in "Enable the search head".

2. Point the search head at the master for the new cluster. You can do this with Splunk Web, through the CLI, or by editing the search head's server.conf file.

In Splunk Web

In Splunk Web, configure multi-cluster search from the search head dashboard:

1. Select the Add cluster to be searched button on the uppper right corner of the dashboard.

2. Fill out the fields in the pop-up window:

  • Master URI. Enter the master's URI, including its management port. For example: https://10.152.31.202:8089.
  • Security Key. This is the key that authenticates communication between a cluster's master, peers, and search heads. The key must be the same across all nodes in a cluster. Enter the security key for the new cluster here. The key might be different for each of the search head's clusters.

To remove the search head from a cluster, see "Remove the search head from a cluster".

Through the CLI

In the CLI, you can configure multi-cluster search with these commands:

splunk add cluster-master <master_uri:port>
splunk edit cluster-master <master_uri:port>
splunk remove cluster-master <master_uri:port>
splunk list cluster-master

You do not need to restart the search head after running these commands.

For example, to add the search head to a cluster whose master is located at https://10.160.31.200:8089, run this command:

splunk add cluster-master https://10.160.31.200:8089 -secret your_key

For more information on any command, see its CLI help.

By editing server.conf

You can configure multi-cluster search in the search head's server.conf file by specifying a comma-separated list of master node references in the master_uri attribute, followed by individual stanzas for each master. For example:

[clustering]
mode = searchhead
master_uri = clustermaster:east, clustermaster:west

[clustermaster:east]
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret

[clustermaster:west]
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret

In this example, the search head will use the pass4SymmKey "someSecret" when communicating with SplunkMaster01 and pass4SymmKey "anotherSecret" when communicating with SplunkMaster02.

After you edit server.conf, you must restart the search head for the changes to take effect.

For details on configuring multi-cluster search, see the server.conf specification file.

Configure multi-cluster search for multisite indexer clusters

A search head can search across multiple multisite clusters or a combination of single-site and multisite clusters. To configure this, you need to specify the search head's site attribute when connecting it to a multisite cluster.

Through the CLI

In the CLI, you configure multi-cluster search with the splunk add cluster-master command. When adding a multisite cluster, include the search head's site value:

splunk add cluster-master <master_uri:port> -site site<n>

You do not need to restart the search head after running this command.

By editing server.conf

To configure multi-cluster search for a multisite cluster, you need to set two multisite-specific attributes: site and multisite. The locations of these attributes vary, depending on a few factors.

If the search head will be searching across only multisite clusters, and the search head is on the same site in each cluster, put the site attribute under the [general] stanza and the multisite attribute under each [clustermaster] stanza:

[general]
site=site1

[clustering]
mode = searchhead
master_uri = clustermaster:multieast, clustermaster:multiwest

[clustermaster:multieast]
multisite=true
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret

[clustermaster:multiwest]
multisite=true
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret

If the search head will be searching across only multisite clusters, and the search head is on a different site in each cluster, put both the site and the multisite attributes under the [clustermaster] stanzas:

[clustering]
mode = searchhead
master_uri = clustermaster:multieast, clustermaster:multiwest

[clustermaster:multieast]
multisite=true
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret
site=site1

[clustermaster:multiwest]
multisite=true
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret
site=site2

If the search head will be searching across a combination of single-site and multisite clusters, put both the site and the multisite attributes under the [clustermaster] stanza for any multisite clusters. In this example, the search head searches across two clusters, only one of which is multisite:

[clustering]
mode = searchhead
master_uri = clustermaster:multi, clustermaster:single

[clustermaster:multi]
multisite=true
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret
site=site1

[clustermaster:single]
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret

After you edit server.conf, you must restart the search head for the changes to take effect.

For more information on multisite cluster configuration, see "Configure multisite indexer clusters with server.conf".

Last modified on 30 September, 2020
Configure the search head with the CLI   Search across both clustered and non-clustered search peers

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters