Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Manage common configurations across all peers

You should attempt to maintain a common set of configuration files, including apps, across all peers in an indexer cluster. This enhances high availability by making the peers essentially interchangeable. In addition, certain configurations must be identical so that all the peers index the data in the same way.

The manager node distributes files and apps to all peers as a single action, through the configuration bundle method. You must use this method to manage common configurations. See Update common peer configurations and apps.

Files that need to be identical across all peers

It is highly recommended that you distribute the same versions of these files across all peers:

  • indexes.conf. It is critical that all peers share the same set of clustered indexes.
  • props.conf and transforms.conf. All peers must use the same set of rules when indexing data.

Beyond these three key files, you can greatly simplify cluster management by maintaining identical versions of other configuration files across all peers. For example, if your peers are able to share a single set of inputs, you can maintain a single inputs.conf file across all peers.

Because apps often contain versions of those configuration files, you should ordinarily distribute the same set of apps to all peers, rather than installing them individually on single peers. See Manage app deployment across all peers.

Note: Under limited circumstances (for example, to perform local testing or monitoring), you might want to add an index to one peer but not the others. You can do this by creating a single-peer indexes.conf, as long as you are careful about how you configure the index and are clear about the ramifications. The data in such an index will not get replicated. The single-peer indexes.conf supplements, but does not replace, the common version of the file that all peers get. You can similarly maintain single-peer apps, if necessary. See Add an index to a single peer.

Distribute configuration files to all peers

To distribute configurations across the peer nodes:

1. If distributing any indexes.conf files, configure them so that they support index replication. See Configure the peer indexes in an indexer cluster.

2. Place the files in the $SPLUNK_HOME/etc/manager-apps directory on the manager node. The set of subdirectories in this location constitute the configuration bundle.

3. Use Splunk Web or the CLI to distribute the configuration bundle to the peer nodes.

For details on these steps, see Update common peer configurations and apps.

Configuration management for peers compared to standalone indexers

The configuration bundle method is the only supported method for managing common configurations and app deployment across the set of peers. It ensures that all peers use the same versions of these files.

Note these critical differences in how you manage peer configuration files compared to configurations for standalone indexers:

  • Do not make configuration changes on individual peers that will modify configurations you need to maintain on a cluster-wide basis. For example, do not use Splunk Web or the CLI to configure index settings.
  • Do not edit cluster-wide configuration files, like indexes.conf, directly on the peers. Instead, edit the files on the manager node and distribute them through the configuration bundle method.
  • Do not use deployment server or any third party deployment tool, such as Puppet or CFEngine, to manage common configuration files across peer nodes. Instead, use the configuration bundle method.

When you distribute updates through the configuration bundle, the manager node orchestrates the distribution to ensure that all peers use the same set of configurations, including the same set of clustered indexes.

If, despite all recommendations, you choose to use another distribution method instead of the configuration bundle method, you must make sure, at a minimum, that settings for any new clustered indexes are successfully distributed to all peers, and that all the peers have been reloaded, before you start sending data to the new indexes.

Note: Although you cannot use deployment server to directly distribute apps to the peers, you can use it to distribute apps to the manager node's configuration bundle location. Once the apps are in that location, the manager node can then distribute them to the peer nodes via the configuration bundle method. See Use deployment server to distribute the apps to the manager.

Last modified on 05 January, 2022
Configure peer nodes with the CLI   Manage app deployment across all peers

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters