Splunk® Enterprise

Distributed Search

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Remove a cluster member

To remove a member from a cluster, run the splunk remove shcluster-member command on any cluster member.

Important: You must use the procedure documented here to remove a member from the cluster. Do not just stop the member.

To disable a member so that you can then re-use the instance, you must also run the splunk disable shcluster-config command.

To rejoin the member to the cluster later, see Add a member that was previously removed from the cluster. The exact procedure depends on whether you merely removed the member from the cluster or both removed and disabled the member.

Remove the member

Caution: Do not stop the member before removing it from the cluster.

1. Remove the member.

To run the splunk remove command on the member that you are removing, use this version:

splunk remove shcluster-member

To run the splunk remove command from another member, use this version:

splunk remove shcluster-member -mgmt_uri <URI>:<management_port>

Note the following:

  • mgmt_uri is the management URI of the member being removed from the cluster.

2. Stop the member.

After removing the member, wait about two minutes for configurations to be updated across the cluster, and then stop the instance:

splunk stop

By stopping the instance, you prevent error messages about the removed member from appearing on the captain.

By removing the instance from the search head cluster, you automatically remove it from the KV store. To confirm that this instance has been removed from the KV store, run splunk show kvstore-status on any remaining cluster member. The instance should not appear in the set of results. If it does appear, there might be problems with the health of your search head cluster.

Remove a member that's already down

If a member has failed and is already down, you can remove it from the cluster by running the splunk remove shcluster-member command from another member that is still running in the cluster:

splunk remove shcluster-member -mgmt_uri <URI>:<management_port>

Note the following:

  • mgmt_uri is the management URI of the downed member being removed from the cluster.

Remove and disable the member

If you intend to keep the instance alive for use in some other capacity, you must disable it after you remove it:

Caution: Do not stop the member first.

1. Remove the member:

splunk remove shcluster-member

2. Disable the member:

splunk disable shcluster-config

3. Stop the member:

splunk stop

4. Clean the KVStore:

splunk clean kvstore --cluster

To complete the process, a rolling restart of the cluster might be required in some cases, such as kvstore migration.

Last modified on 03 January, 2022
Add a cluster member   Configure a cluster member to run ad hoc searches only

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters