Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Put a peer into detention

When a peer is in the state of detention, its functionality is reduced. It stops replicating data from other peer nodes and, depending on the type of detention, stops indexing most or all data. It continues to participate in searches.

A peer can enter detention either automatically, in response to a low level of free disk space, or manually.

Automatic detention

When a peer enters the detention state automatically, it

  • stops indexing all data, internal and external.
  • stops replicating data from other peer nodes.
  • stops participating in searches.

The peer node enters the detention state automatically when it runs low on disk space. The setting that controls automatic detention is minFreeSpace in server.conf. The default value is 5000, or 5GB, meaning that the peer enters detention when it has less than 5GB of free disk space.

The peer automatically leaves the detention state when its free disk space grows to exceed minFreeSpace.

Manual detention

When a peer enters the detention state manually, it

  • stops replicating data from other peer nodes.
  • optionally stops accepting data from the ports that consume external data, causing the peer to no longer index most types of external data.
  • continues to index internal data and stream the data to target peer nodes.
  • continues to participate in searches.

When you manually put a peer into the detention state, it remains in detention until you remove it from detention. Manual detention persists through peer restart.

The effect of not accepting data from external data ports

When setting a peer to manual detention, you can optionally direct the peer to stop accepting data from the ports that consume incoming data.

This brings a halt to the indexing of most external data, including

  • TCP inputs
  • UDP inputs
  • HEC inputs
  • data sent from a forwarder to the peer through its receiving port

Attempts to send HEC data to the peer generate the return error "HTTPSTATUS_NOT_FOUND, 404".

However, external data can continue to enter the peer through these methods:

  • scripted inputs
  • file and folder monitoring
  • the receivers/stream endpoint

In addition, the indexer can continue to route incoming data to another Splunk Enterprise instance or to a third-party system.

Use cases

Here are some of the key use cases for manual detention:

  • To bring a near halt to the growth of disk usage on the peer, for example, if the peer is close to running out of space.
  • To partially decommission an old peer, making it available only for searches on existing data.
  • To stop a troublesome peer from handling external or replicated data, while keeping the peer available for diagnostics.
  • To force new data to go to the new peers, when you add new peers to a cluster.
Note: You can also use data rebalancing to move data to new peers. See Rebalance the cluster.
  • To slow the growth of disk usage on a peer that belongs to a pre-approved firewall exception list and needs to continue receiving incoming data. For this use case, you can configure the peer to stop replication activity but continue to consume external data.

Put a peer into manual detention

To put a peer into detention, run the CLI command splunk edit cluster-config with the -manual_detention parameter.

You can set the -manual_detention parameter to one of several values:

  • on. The peer enters detention and stops accepting data from the ports that consume incoming data. These ports are the receiving TCP, UDP, and HTTP event collector ports.This action has the effect of halting indexing of most external data. The peer continues to index internal data. The peer stops replicating data from other peer nodes.
  • on_ports_enabled. The peer enters detention and the ports stay open to accept incoming data. The peer continues to index both external and internal data. The peer stops replicating data from other peer nodes.
  • off. The peer is not in detention. This is the default.

You can run this command from the peer itself or from the manager node.

Caution: The peer must be in the Up state, or "status," before you put it in detention. For information on how to determine the status of a peer, see View the manager node dashboard.

To run the command from the peer:

splunk edit cluster-config -auth <username>:<password> -manual_detention [off|on|on_ports_enabled]

To run the command from the manager node:

splunk edit cluster-config -auth <username>:<password> -peers <peer_guid1>,<peer_guid2>,... -manual_detention [off|on|on_ports_enabled]

Note the following:

  • -peers specifies the set of peers that you want to put in detention. Identify each peer by its GUID. When you run the command from the manager node, you must include this parameter.

Take a peer out of manual detention

To take a peer out of detention:

splunk edit cluster-config -auth <username>:<password> -manual_detention off 

Use a REST endpoint to put the peer into manual detention

You can use the REST endpoint cluster/peer/control/control/set_manual_detention to put a peer into manual detention.

Note: A previous endpoint, cluster/peer/control/control/set_detention_override, has been deprecated. Use cluster/peer/control/control/set_manual_detention in its place.

See the REST API documentation for cluster/peer/control/control/set_manual_detention.

View the detention state

You can view the states, detention-related or otherwise, of all peers from the manager node dashboard. See View the manager node dashboard.

These are the possible detention states:

  • AutomaticDetention. Peer entered detention automatically.
  • ManualDetention. Peer entered detention manually and no longer consumes external data.
  • ManualDetention-PortsEnabled. Peer entered detention manually and continues to consume external data.


You can also use the DMC to view the state of the peers.

In addition, some CLI commands also provide peer state information:

  • To view the state of all peers, run this command on the manager:

splunk list cluster-peers
  • To view the state of a single peer, run this command on the peer:

splunk list cluster-config
Last modified on 22 April, 2021
Remove excess bucket copies from the indexer cluster   Remove a peer from the manager node's list

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters