Splunk® Enterprise

Distributed Search

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Integrate the search head cluster with an indexer cluster

To integrate a search head cluster with an indexer cluster, configure each member of the search head cluster as a search head on the indexer cluster. Once you do that, the search heads get their list of search peers from the manager node of the indexer cluster.

You can integrate search head clusters with either single-site or multisite indexer clusters.

In this diagram, a search head cluster performs searches across a single-site indexer cluster:

2021 SH cluster with Indexer Cluster.png

Integrate with a single-site indexer cluster

Configure each search head cluster member as a search head on the indexer cluster. Use the CLI splunk edit cluster-config command. For example:

splunk edit cluster-config -mode searchhead -manager_uri https://10.152.31.202:8089 -secret newsecret123 -auth login:password 

splunk restart

You must run this CLI command on each member of the search head cluster.

This example specifies:

  • The instance is a search head in an indexer cluster.
  • The manager node of the indexer cluster resides at 10.152.31.202:8089.
  • The secret key is "newsecret123".

The secret key that you set here is the indexer cluster secret key (which is stored in pass4SymmKey under the [clustering] stanza of server.conf), not the search head cluster secret key (which is stored in pass4SymmKey under the [shclustering] stanza of server.conf).

For a search head cluster to serve as the search tier of an indexer cluster, you must set both types of keys on each of the search head cluster members, because the members are serving both as nodes of the indexer cluster and as members of the search head cluster. Presumably, if you have already set up the search head cluster, you have set the search head cluster key before you get to this step.

Each key type must be identical on all nodes of its respective cluster. That is, the indexer cluster key must be identical on all nodes of the indexer cluster, while the search head cluster key must be identical on all search cluster members. It is recommended, however, that the indexer cluster key be different from the search head cluster key.

This is all you need for the basic configuration. The search heads now run their searches against the peer nodes in the indexer cluster.

Integrate with a multisite indexer cluster

In a multisite indexer cluster, each search head and indexer has an assigned site. Multisite indexer clustering promotes disaster recovery, because data is allocated across multiple sites. For example, you might configure two sites, one in Boston and another in New York. If one site fails, the data remains accessible through the other site. See Multisite indexer clusters in Managing Indexers and Clusters of Indexers.

Note: Although a search head cluster can participate in a multisite indexer cluster, the search head cluster itself does not have site awareness. See Deploy a search head cluster in a multisite environment.

Configure members

To integrate search head cluster members with a multisite indexer cluster, configure each member as a search head on the indexer cluster, as in the single-site example. See Integrate with a single-site indexer.

The only difference from a single-site indexer cluster is that you must also specify the site for each member. This should ordinarily be "site0", so that all search heads in the cluster perform their searches across the same set of indexers. For example:

splunk edit cluster-config -mode searchhead -site site0 -manager_uri https://10.152.31.202:8089 -secret newsecret123 -auth login:password 

splunk restart

Migrate members from a single-site indexer cluster to a multisite indexer cluster

If the search head cluster members are already integrated into a single-site indexer cluster and you want to migrate that cluster to multisite, you must edit each search head's configuration to identify its site.

On each search head, specify its manager node and its site. For example:

splunk edit cluster-manager https://10.160.31.200:8089 -site site0 -auth login:password 

For complete details on migrating a single-site indexer cluster to multisite, see Migrate an indexer cluster from single-site to multisite in Managing Indexers and Clusters of Indexers.

For more information

For more information on configuration of search heads on indexer clusters, see the chapter Configure the search head in the Managing Indexers and Clusters of Indexers manual. That chapter also includes configuration for more complex scenarios, such as hybrid searching, where the search heads search across both indexer clusters and non-clustered indexers.

Last modified on 21 September, 2021
Deploy a search head cluster   Connect the search heads in clusters to search peers

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters