Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

How indexer cluster nodes start up

This topic describes what happens when:

  • the master node starts
  • a peer node joins a new cluster
  • a peer node joins an existing cluster

When the master node starts

When a master node comes online (either the first time or subsequently), it begins listening for cluster peers. Each online peer registers with the master, and the master adds it to the cluster. The master waits until the replication factor number of peers register, and then it starts performing its functions.

When you first deploy the cluster, you must enable the master before enabling the peer nodes, as described in "Indexer cluster deployment overview". The master blocks indexing on the peers until you enable and restart the full replication factor number of peers.

If you subsequently restart the master, it waits for a quiet period to allow all peers the opportunity to register with it. Once the quiet period ends and the replication factor number of peers register with it, the master can start performing its coordinating functions, such as rebalancing the primary bucket copies and telling peers where to stream copies of incoming data. Therefore, you must make sure that there are at least replication factor number of peers running when you restart the master.

After the quiet period is over, you can view the master dashboard for information on the status of the cluster.

For more information on what occurs when a master goes down and then restarts, see "What happens when the master node goes down".

When a peer joins a new cluster

When you initially deploy a cluster, you must first enable the master and then enable the peer nodes, as described in "Indexer cluster deployment overview". The master blocks indexing on the peers until you enable and restart the full replication factor number of peers.

Each peer registers with the master when it comes online, and the master automatically distributes the latest configuration bundle to it. The peer then validates the configuration bundle locally. The peer will only join the cluster if bundle validation succeeds.

The peer starts indexing data after the replication factor number of peers join the cluster.

When a peer joins an existing cluster

A peer can also come online at some later time, when the cluster is already up and running with a master and the replication factor number of peers. The peer registers with the master when it comes online, and the master distributes the latest configuration bundle to it. The peer validates the configuration bundle locally. The peer joins the cluster only if bundle validation succeeds.

Note: Adding a new peer to an existing cluster causes a rebalancing of primary bucket copies across the set of existing peer nodes, as described in "Rebalance the indexer cluster primary buckets". However, the new peer won't get any of those primary copies, because the master performs rebalancing only across the set of searchable copies, and a new peer has no searchable copies when it starts up. The peer can participate in future bucket replication, but the master does not automatically shift bucket copies or reassign primaries from existing peers to the new peer.

Last modified on 06 October, 2020
How indexer clusters handle report and data model acceleration summaries   What happens when a peer node goes down

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters