Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure the indexer cluster with server.conf

Before reading this topic, see "About configuration files" and the topics that follow it in the Admin Manual. Those topics explain how Splunk Enterprise uses configuration files.

Indexer cluster settings reside in the server.conf file, located in $SPLUNK_HOME/etc/system/local/. When you deploy a cluster node through Splunk Web or the CLI, the node saves the settings to that file. You can also edit server.conf file directly, either to deploy initially or to change settings later.

The main server.conf stanza that controls indexer clustering is [clustering]. Besides the basic attributes that correspond to settings in Splunk Web, server.conf provides a number of advanced settings that control communication between cluster nodes. Unless advised by Splunk Support, do not change those settings.

This topic discusses some issues that are common to all node types.

Configure the various node types

For specific instructions for each node type, see:

For details on all the clustering attributes, including the advanced ones, read the server.conf specification.

For multisite cluster configurations, also read "Configure multisite indexer clusters with server.conf".

Configure the security key

Set the pass4SymmKey attribute to configure a security key that authenticates communication between the manager node, peers, and search heads. You must use the same key value for all cluster nodes.

You set pass4SymmKey when you deploy the cluster. For details on how to set the key on the manager node, see Enable the indexer cluster manager node. You also set it when when enabling the peer nodes and search heads.

If you set the key directly in server.conf, you must set it inside the [clustering] stanza for indexer clustering.

Important: Save a copy of the key in a safe place. Once an instance starts running, the security key changes from clear text to encrypted form, and it is no longer recoverable from server.conf. If you later want to add a new node, you will need to use the clear text version to set the key.

For information on setting the security key for a combined search head cluster and indexer cluster, see Integrate the search head cluster with an indexer cluster in Distributed Search.

Restart after modifying server.conf?

After you configure an instance as a cluster node for the first time, you need to restart it for the change to take effect.

If you make a configuration change later on, you might not need to restart the instance, depending on the type of change. Avoid restarting peers when possible. Restarting the set of peers can result in prolonged amounts of bucket-fixing.

Initial configuration

After initially configuring instances as cluster nodes, you need to restart all of them (manager node, peers, and search head) for the changes to take effect. You can do this by invoking the CLI restart command on each node:

$SPLUNK_HOME/bin/splunk restart

When the manager node starts up for the first time, it blocks indexing on the peers until you enable and restart the replication factor number of peers. Do not restart the manager while it is waiting for the peers to join the cluster. If you do, you will need to restart the peers a second time.

Important: Although you can use the CLI restart command when you initially enable an instance as a cluster peer node, do not use it for subsequent restarts. The restart command is not compatible with index replication once replication has begun. For more information, including a discussion of safe restart methods, read "Restart a single peer".

Subsequent configuration changes

If you change any of the following attributes in the server.conf file, you do not need to restart the node.

On a peer node:

  • manager_uri
  • notify_scan_period

On a search head:

  • manager_uri

On a manager node:

  • quiet_period
  • heartbeat_timeout
  • restart_timeout
  • max_peer_build_load
  • max_peer_rep_load
  • cluster_label
  • access_logging_for_heartbeats
  • use_batch_mask_changes
  • percent_peers_to_restart
  • summary_replication

All other cluster-related configuration changes require a restart.

Last modified on 20 April, 2021
Configure the indexer cluster with the dashboards   Configure and manage the indexer cluster with the CLI

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters