Search head configuration overview
Configuration of the search head in an indexer cluster falls into these categories:
- Cluster node configuration. The basic configuration of the search head node occurs during initial deployment of the indexer cluster. You can edit the configuration later.
- Advanced features and topologies. These features, such as mounted bundles, are available to all search heads, whether or not they are participating in an indexer cluster.
- Combined searches. You can combine searches across multiple clusters or across clustered and non-clustered search peers.
Important: This chapter discusses independent search heads that function as nodes in an indexer cluster. For information on how to incorporate search heads that are members of a search head cluster into an indexer cluster, see "Integrate the search head cluster with an indexer cluster" in the Distributed Search manual. In addition, see the "Configure search head clustering" chapter in the Distributed Search manual.
Cluster node configuration
Basic configuration of a Splunk Enterprise instance as a search head for an indexer cluster occurs when you initially deploy the indexer cluster. You can edit the configuration later.
Perform the initial configuration
You configure and enable the search head at the same time that you enable the other cluster nodes, as described in "Enable the search head". The cluster's set of peer nodes become search peers of the search head. For basic functionality, you do not need to set any other configurations.
Edit the configuration
There are two main reasons for editing the basic search head configuration for a particular cluster:
- Redirect the search head to another manager node for the same cluster. This can be useful in the case where a manager node fails but you have a stand-by manager for that cluster which you can redirect the search head to. For information on stand-by manager nodes, see "Replace the manager node on the indexer cluster".
- Change the search head's security key for the cluster. Only change the key if you are also changing it for all other nodes in the cluster. The key must be the same across all instances in a cluster.
To edit the search head's cluster node configuration, use one of these methods:
- Edit the configuration from the search head node dashboard in Splunk Web. See "Configure the search head with the dashboard".
- Edit the search head's
server.conffile. See "Configure the search head with server.conf".
- Use the CLI. See "Configure the search head with the CLI".
Configure multisite search heads
For additions and differences when configuring multisite search heads, see "Implement search affinity in a multisite indexer cluster" and "Configure multisite indexer clusters with server.conf".
Advanced features and topologies
To implement some advanced features of distributed search, such as mounted bundles, you must edit
distsearch.conf on the search head.
For instructions on how to perform advanced configuration, read the Distributed Search manual. That book focuses on environments with non-clustered indexers, but you configure most advanced search head features in the same way when working with indexer clusters, except as described here.
Search heads running on an indexer cluster compared to search heads running against non-clustered indexers
Most settings and capabilities are the same for search heads running on an indexer cluster and those running against non-clustered indexers.
The main difference is that, for indexer clusters, search heads and search peers are automatically connected to each other as part of the cluster enablement process. You do not perform any configuration in
distsearch.conf to enable automatic discovery.
A few attributes in
distsearch.conf are not valid for search heads in indexer clusters. A search head in an indexer cluster ignores these attributes:
servers disabled_servers heartbeatMcastAddr heartbeatPort heartbeatFrequency ttl checkTimedOutServersFrequency autoAddServers
As when running against non-clustered indexers, search head access to search peers is controlled through public key authentication. However, you do not need to distribute the keys manually. The search head in an indexer cluster automatically pushes its public key to the search peers.
Mounted bundles and search peer configurations
distsearch.conf settings are valid only for search heads. However, to implement mounted bundles, you need to distribute a small
distsearch.conf file to the search peers. For indexer clusters, you should use the manager node to distribute this file to the peers. For information on how to use the manager node to manage peer configurations, read "Update common peer configurations and apps" in this manual. For information on how to configure mounted bundles, read the "Mounted knowledge bundle replication" in the Distributed Search manual.
How the Distributed Search page works with indexer clusters
Do not use the Distributed Search page on Splunk Web to configure a search head in an indexer cluster or to add peers to the cluster. You can, however, use that page to view the list of search peers.
To search across multiple indexer clusters, see "Search across multiple indexer clusters".
To search across both clustered and non-clustered search peers, see see "Search across both clustered and non-clustered search peers".
Manage configurations on a peer-by-peer basis
Configure the search head with the dashboard
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6