Search across multiple indexer clusters
You can configure a search head to search across multiple indexer clusters. The method you use depends on whether the clusters are single-site or multisite.
Configure multi-cluster search for single-site indexer clusters
To configure multi-cluster search:
1. Configure the search head for one of the clusters in the usual way, as described in "Enable the search head".
2. Point the search head at the manager node for the new cluster. You can do this with Splunk Web, through the CLI, or by editing the search head's server.conf
file.
In Splunk Web
In Splunk Web, configure multi-cluster search from the search head dashboard:
1. Select the Add cluster to be searched button on the uppper right corner of the dashboard.
2. Fill out the fields in the pop-up window:
- Manager URI. Enter the manager node's URI, including its management port. For example:
https://10.152.31.202:8089
. - Security Key. This is the key that authenticates communication between a cluster's manager node, peers, and search heads. The key must be the same across all nodes in a cluster. Enter the security key for the new cluster here. The key might be different for each of the search head's clusters.
To remove the search head from a cluster, see "Remove the search head from a cluster".
Through the CLI
In the CLI, you can configure multi-cluster search with these commands:
splunk add cluster-manager <manager_uri:port> splunk edit cluster-manager <manager_uri:port> splunk remove cluster-manager <manager_uri:port> splunk list cluster-manager
You do not need to restart the search head after running these commands.
For example, to add the search head to a cluster whose manager node is located at https://10.160.31.200:8089, run this command:
splunk add cluster-manager https://10.160.31.200:8089 -secret your_key
For more information on any command, see its CLI help.
By editing server.conf
You can configure multi-cluster search in the search head's server.conf
file by specifying a comma-separated list of manager node references in the manager_uri
attribute, followed by individual stanzas for each manager. For example:
[clustering] mode = searchhead manager_uri = clustermanager:east, clustermanager:west [clustermanager:east] manager_uri=https://SplunkManager01.example.com:8089 pass4SymmKey=someSecret [clustermanager:west] manager_uri=https://SplunkManager02.example.com:8089 pass4SymmKey=anotherSecret
In this example, the search head will use the pass4SymmKey
"someSecret" when communicating with SplunkManager01 and pass4SymmKey
"anotherSecret" when communicating with SplunkManager02.
After you edit server.conf
, you must restart the search head for the changes to take effect.
For details on configuring multi-cluster search, see the server.conf specification file.
Configure multi-cluster search for multisite indexer clusters
A search head can search across multiple multisite clusters or a combination of single-site and multisite clusters. To configure this, you need to specify the search head's site
attribute when connecting it to a multisite cluster.
Through the CLI
In the CLI, you configure multi-cluster search with the splunk add cluster-manager
command. When adding a multisite cluster, include the search head's site
value:
splunk add cluster-manager <manager_uri:port> -site site<n>
You do not need to restart the search head after running this command.
By editing server.conf
To configure multi-cluster search for a multisite cluster, you need to set two multisite-specific attributes: site
and multisite
. The locations of these attributes vary, depending on a few factors.
If the search head will be searching across only multisite clusters, and the search head is on the same site in each cluster, put the site
attribute under the [general]
stanza and the multisite
attribute under each [clustermanager]
stanza:
[general] site=site1 [clustering] mode = searchhead manager_uri = clustermanager:multieast, clustermanager:multiwest [clustermanager:multieast] multisite=true manager_uri=https://SplunkManager01.example.com:8089 pass4SymmKey=someSecret [clustermanager:multiwest] multisite=true manager_uri=https://SplunkManager02.example.com:8089 pass4SymmKey=anotherSecret
If the search head will be searching across only multisite clusters, and the search head is on a different site in each cluster, put both the site
and the multisite
attributes under the [clustermanager]
stanzas:
[clustering] mode = searchhead manager_uri = clustermanager:multieast, clustermanager:multiwest [clustermanager:multieast] multisite=true manager_uri=https://SplunkManager01.example.com:8089 pass4SymmKey=someSecret site=site1 [clustermanager:multiwest] multisite=true manager_uri=https://SplunkManager02.example.com:8089 pass4SymmKey=anotherSecret site=site2
If the search head will be searching across a combination of single-site and multisite clusters, put both the site
and the multisite
attributes under the [clustermanager]
stanza for any multisite clusters. In this example, the search head searches across two clusters, only one of which is multisite:
[clustering] mode = searchhead manager_uri = clustermanager:multi, clustermanager:single [clustermanager:multi] multisite=true manager_uri=https://SplunkManager01.example.com:8089 pass4SymmKey=someSecret site=site1 [clustermanager:single] manager_uri=https://SplunkManager02.example.com:8089 pass4SymmKey=anotherSecret
After you edit server.conf
, you must restart the search head for the changes to take effect.
For more information on multisite cluster configuration, see "Configure multisite indexer clusters with server.conf".
Configure the search head with the CLI | Search across both clustered and non-clustered search peers |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!