Splunk® Enterprise

Distributed Search

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Remove a search peer

You can remove a search peer from a search head through Splunk Web or the CLI. As you might expect, doing so merely removes the search head's knowledge of that search peer; it does not affect the peer itself.

Remove a search peer via Splunk Web

You can remove a search peer from a search head through the Search peers page on the search head's Splunk Web. See View search peer status in Settings.

Note: This only removes the search peer entry from the search head; it does not remove the search head key from the search peer. In most cases, this is not a problem and no further action is needed. To disable the trust relationship, see Disable the trust relationship.

Remove a search peer via the CLI

On the search head, run the splunk remove search-server command to remove a search peer from the search head:

splunk remove search-server -auth <user>:<password>  <host>:<port> 

Note the following:

  • Use the -auth flag to provide credentials for the search head only.
  • <host> is the host name or IP address of the search peer's host machine.
  • <port> is the management port of the search peer.

For example:

splunk remove search-server -auth admin:password 10.10.10.10:8089

A message indicating success appears after the peer is removed.

In the case of a search head cluster, the peer removal action replicates to all other cluster members only if you have enabled search peer replication. Otherwise, you must remove the search peers from each member individually. For information on enabling search peer replication, see Replicate the search peers across the cluster.

Disable the trust relationship

As an additional step, you can disable the trust relationship between the search peer and the search head. To do this, delete the trusted.pem file from $SPLUNK_HOME/etc/auth/distServerKeys/<searchhead_name> on the search peer.

Note: The <searchhead_name> is the search head's serverName, as described in "Manage distributed server names".

This step is usually unnecessary.

Last modified on 22 May, 2023
Create distributed search groups   View search peer status in Settings

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters