Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Manage configurations on a peer-by-peer basis

Most configurations need to be the same across all peers. See Manage common configurations across all peers. For limited purposes, such as testing, you can handle some configurations on a peer-by-peer basis.

Configure data inputs

Forwarders are the recommended way to handle data inputs to peers. For information on configuring this process, read Use forwarders to get your data into the indexer cluster.

If you want to input data directly to a peer, without a forwarder, you can configure your inputs on the peer in the same way as for any indexer. For more information, read Configure your inputs in the Getting Data In manual.

Important: Although you can configure inputs on a peer-by-peer basis, consider whether your needs allow you to use a single set of inputs across all peers. This should be possible if all data is channeled through forwarders, and the receiving ports on all peers are the same. If that is the case, you can use the manager node to manage a common inputs.conf file, as described in Update common peer configurations and apps.

Add an index to a single peer

If you need to add an index to a single peer, you can do so by creating a separate indexes.conf file on the peer. However, the data in the new index will remain only on that peer and will not get replicated. The main use case for this is to perform some sort of local testing or monitoring, possibly involving an app that you download to only that one peer. The peer-specific indexes.conf supplements, but does not replace, the common versions of the file that all peers get.

If you create a version of indexes.conf for a single peer, you can put it in any of the acceptable locations for an indexer, as discussed in About configuration files and Configuration file directories in the Admin Manual. The one place where you cannot put the file is under $SPLUNK_HOME/etc/peer-apps, which is where the configuration bundle resides on the peer. If you put it there, it will get overwritten the next time the peer downloads a configuration bundle.

Important: If you add a local index, leave its repFactor attribute set to the default value of 0. Do not set it to auto. If you do set it to auto, the peer will attempt to replicate the index's data to other peers in the cluster. Since the other peers will not be configured for the new index, there will be nowhere on those peers to store the replicated data, resulting in various, potentially serious, problems. In addition, when the manager node next attempts to push a configuration bundle to the peers, the peer with the incorrectly configured index will return a bundle validation error to the manager, preventing the manager from successfully applying the bundle to the set of peers.

Make other configuration changes

If you need to make some other configuration changes specific to an individual peer, you can configure the peer in the usual way for any Splunk Enterprise instance, clustered or not. You can use Splunk Web or the CLI, or you can directly edit configuration files.

Restart the peer

As with any indexer, you sometimes need to restart a peer after you change its configuration. Unlike non-clustered indexers, however, do not use the CLI splunk restart command to restart the peer. Instead, use the restart capability in Splunk Web. For detailed information on how to restart a cluster peer, read Restart a single peer.

For information on configuration changes that require a restart, see Restart after modifying server.conf? and Restart or reload after configuration bundle changes?.

Last modified on 05 January, 2022
Update common peer configurations and apps   Search head configuration overview

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters