Integrate the search head cluster with an indexer cluster
To integrate a search head cluster with an indexer cluster, configure each member of the search head cluster as a search head on the indexer cluster. Once you do that, the search heads get their list of search peers from the manager node of the indexer cluster.
You can integrate search head clusters with either single-site or multisite indexer clusters.
In this diagram, a search head cluster performs searches across a single-site indexer cluster:
Integrate with a single-site indexer cluster
Configure each search head cluster member as a search head on the indexer cluster. Use the CLI
splunk edit cluster-config command. For example:
splunk edit cluster-config -mode searchhead -manager_uri https://10.152.31.202:8089 -secret newsecret123 -auth login:password splunk restart
You must run this CLI command on each member of the search head cluster.
This example specifies:
- The instance is a search head in an indexer cluster.
- The manager node of the indexer cluster resides at
- The secret key is "newsecret123".
The secret key that you set here is the indexer cluster secret key (which is stored in
pass4SymmKey under the
[clustering] stanza of
server.conf), not the search head cluster secret key (which is stored in
pass4SymmKey under the
[shclustering] stanza of
For a search head cluster to serve as the search tier of an indexer cluster, you must set both types of keys on each of the search head cluster members, because the members are serving both as nodes of the indexer cluster and as members of the search head cluster. Presumably, if you have already set up the search head cluster, you have set the search head cluster key before you get to this step.
Each key type must be identical on all nodes of its respective cluster. That is, the indexer cluster key must be identical on all nodes of the indexer cluster, while the search head cluster key must be identical on all search cluster members. It is recommended, however, that the indexer cluster key be different from the search head cluster key.
This is all you need for the basic configuration. The search heads now run their searches against the peer nodes in the indexer cluster.
Integrate with a multisite indexer cluster
In a multisite indexer cluster, each search head and indexer has an assigned site. Multisite indexer clustering promotes disaster recovery, because data is allocated across multiple sites. For example, you might configure two sites, one in Boston and another in New York. If one site fails, the data remains accessible through the other site. See Multisite indexer clusters in Managing Indexers and Clusters of Indexers.
Note: Although a search head cluster can participate in a multisite indexer cluster, the search head cluster itself does not have site awareness. See Deploy a search head cluster in a multisite environment.
To integrate search head cluster members with a multisite indexer cluster, configure each member as a search head on the indexer cluster, as in the single-site example. See Integrate with a single-site indexer.
The only difference from a single-site indexer cluster is that you must also specify the site for each member. This should ordinarily be "site0", so that all search heads in the cluster perform their searches across the same set of indexers. For example:
splunk edit cluster-config -mode searchhead -site site0 -manager_uri https://10.152.31.202:8089 -secret newsecret123 -auth login:password splunk restart
Migrate members from a single-site indexer cluster to a multisite indexer cluster
If the search head cluster members are already integrated into a single-site indexer cluster and you want to migrate that cluster to multisite, you must edit each search head's configuration to identify its site.
On each search head, specify its manager node and its site. For example:
splunk edit cluster-manager https://10.160.31.200:8089 -site site0 -auth login:password
For complete details on migrating a single-site indexer cluster to multisite, see Migrate an indexer cluster from single-site to multisite in Managing Indexers and Clusters of Indexers.
For more information
For more information on configuration of search heads on indexer clusters, see the chapter Configure the search head in the Managing Indexers and Clusters of Indexers manual. That chapter also includes configuration for more complex scenarios, such as hybrid searching, where the search heads search across both indexer clusters and non-clustered indexers.
Deploy a search head cluster
Connect the search heads in clusters to search peers
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5
Feedback submitted, thanks!