Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Enable the search head

Before reading this topic, read "Indexer cluster deployment overview".

To search the cluster, you need to enable at least one search head in the indexer cluster.

Before enabling the search head, you must enable and restart the manager node, as described in "Enable the manager node".

The procedure in this topic explains how to use Splunk Web to enable a search head. You can also enable a search head in two other ways:

Important: This topic explains how to enable an individual search head for a single-site cluster only:

Enable the search head

To enable a Splunk instance as a search head in an indexer cluster:

1. Click Settings in the upper right corner of Splunk Web.

2. In the Distributed environment group, click Indexer clustering.

3. Select Enable clustering.

4. Select Search head node and click Next.

5. There are a few fields to fill out:

  • Manager URI. Enter the manager node's URI, including its management port. For example: https://10.152.31.202:8089.
  • Security key. This is the key that authenticates communication between the manager node and the peers and search heads. The key must be the same across all cluster nodes. Set the same value here that you previously set on the manager node.

6. Click Enable search head node.

The message appears, "You must restart Splunk for the search node to become active. You can restart Splunk from Server Controls."

7. Click Go to Server Controls. This takes you to the Settings page where you can initiate the restart.

Next steps

Now that you have enabled the search head, you can:

  • View the search head dashboard
  • Allow the search head to search other clusters
  • Add search heads to the cluster
  • Perform additional configuration on the search head

View the search head dashboard

After the restart, log back into the search head and return to the Clustering page in Splunk Web. This time, you see the search head's clustering dashboard. See "View the search head dashboard" for more information.

Allow the search head to search multiple clusters

From the dashboard, you can add additional clusters for the search head to search. For details, see "Search across multiple indexer clusters".

Add search heads to an indexer cluster

You can set up multiple search heads to accommodate more simultaneous searches. For information on how to determine your search head needs, see "Hardware capacity planning" in the Capacity Planning manual.

If you want to set up more search heads for an indexer cluster, just repeat the enablement procedure for additional instances. If you want to deploy a search head cluster, so that the search heads share configurations and jobs, see the additional configuration instructions in the topic "Integrate the search head cluster with an indexer cluster" in the Distributed Search manual.

Perform additional configuration

For more information on configuration of search heads in an indexer cluster, see "Search head configuration overview".

Last modified on 22 April, 2021
Enable the peer nodes   Best practice: Forward manager node data to the indexer layer

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters