Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Enable the indexer cluster manager node

Before reading this topic, read Indexer cluster deployment overview.

A cluster has one, and only one, manager node. The manager node coordinates the activities of the peer nodes. It does not itself store or replicate data (aside from its own internal data).

Important: A manager node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as manager node must perform only that single indexer cluster role. In addition, the manager cannot share a machine with a peer. Under certain limited circumstances, however, the manager instance can handle a few other lightweight functions. See "Additional roles for the manager node".

You must enable the manager node as the first step in deploying a cluster, before setting up the peer nodes.

The procedure in this topic explains how to use Splunk Web to enable a manager node. You can also enable a manager node in two other ways:

Important: This topic explains how to enable a manager node for a single-site cluster only. If you plan to deploy a multisite cluster, see "Configure multisite indexer clusters with server.conf".

Enable the manager node

To enable an indexer as the manager node:

1. Click Settings in the upper right corner of Splunk Web.

2. In the Distributed environment group, click Indexer clustering.

3. Select Enable indexer clustering.

4. Select Manager node and click Next.

5. There are a few fields to fill out:

  • Replication Factor.The replication factor determines how many copies of data the cluster maintains. The default is 3. For more information on the replication factor, see Replication factor. Be sure to choose the right replication factor now. It is inadvisable to increase the replication factor later, after the cluster contains significant amounts of data.
  • Search Factor. The search factor determines how many immediately searchable copies of data the cluster maintains. The default is 2. For more information on the search factor, see Search factor. Be sure to choose the right search factor now. It is inadvisable to increase the search factor later, once the cluster has significant amounts of data.
  • Security Key. This is the key that authenticates communication between the manager node and the peers and search heads. The key must be the same across all cluster nodes. The value that you set here must be the same that you subsequently set on the peers and search heads as well.
  • Cluster Label. You can label the cluster here. The label is useful for identifying the cluster in the monitoring console. See Set cluster labels in Monitoring Splunk Enterprise.

6. Click Enable manager node.

The message appears, "You must restart Splunk for the manager node to become active. You can restart Splunk from Server Controls."

7. Click Go to Server Controls. This takes you to the Settings page where you can initiate the restart.

Important: When the manager node starts up for the first time, it will block indexing on the peers until you enable and restart the full replication factor number of peers. Do not restart the manager node while it is waiting for the peers to join the cluster. If you do, you will need to restart the peers a second time.

View the manager node dashboard

After the restart, log back into the manager node and return to the Clustering page in Splunk Web. This time, you see the manager node clustering dashboard. For information on the dashboard, see "View the manager node dashboard".

Perform additional configuration

For information on post-deployment manager node configuration, see "Manager node configuration overview".

Last modified on 22 April, 2021
System requirements and other deployment considerations for indexer clusters   Enable the peer nodes

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters