Configure the search head with the CLI
Read this first
Before reading this topic, see:
- "Configure and manage the indexer cluster with the CLI". This topic explains the basics of indexer cluster configuration with the CLI. It provides details on issues that are common to all cluster node types.
Enable a search head
The following example shows the basic settings that you typically configure when enabling a search head. The configuration attributes correspond to fields on the Enable clustering page of Splunk Web.
To enable an instance as a search head, set
mode to "searchhead". You also need to specify the
manager_uri and the cluster-wide security key (
splunk edit cluster-config -mode searchhead -manager_uri https://10.160.31.200:8089 -secret your_key splunk restart
-secret flag modifies the
pass4SymmKey setting in the
[clustering] stanza of
Edit the search head settings
You can also use the CLI to edit the configuration later.
Important: When you first enable a search head, you use the
splunk edit cluster-config command. To change the search head configuration, you must instead use the
splunk edit cluster-manager command.
For example, to change the security key (
secret), use this command:
splunk edit cluster-manager https://10.160.31.200:8089 -secret newsecret123
splunk edit cluster-manager command always takes the current manager node URI:port value as its initial parameter. For example, this command connects the search head to a different manager node by setting a new value for the
-manager_uri parameter, but it provides the value for the old manager node as its initial parameter:
splunk edit cluster-manager https://10.160.31.200:8089 -manager_uri https://10.160.31.55:8089
Refer to the CLI clustering help, along with the server.conf specification file, for the list of configurable settings.
Configure the search head with server.conf
Search across multiple indexer clusters
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3