How configuration changes propagate across the search head cluster
Read this first
Before reading this topic, see:
- "Administer Splunk Enterprise with configuration files" in the Admin Manual. The topics in that chapter provide important background information on configuration files.
The importance of configuration files in a search head cluster
Settings in configuration files control the functionality of a search head, including the set of knowledge objects. For example, there are configuration files for saved searches, event types, and workflow actions. Other configuration files provide the settings for non-search functionality, such as data inputs and indexing. See "List of configuration files" in the Admin Manual.
Besides the configuration files, other files are important to search-time functionality. For example, static lookup tables, dashboards, and data models use various files as part of their definition.
For a search head cluster to function properly, its members must all use the same set of search-related configurations. For example, all search heads in the cluster need access to the same set of saved searches. They must therefore use the same savedsearches.conf
settings.
Members should also use the same set of user-related settings. See "Add users to the search head cluster."
Apps must also be identical across all search heads in a cluster. An app is essentially just a set of configurations.
How configuration changes propagate in a search head cluster
A search head cluster uses two means to ensure that configurations are identical across its members: automatic replication and the deployer.
Replicated changes
The cluster automatically replicates any runtime knowledge object changes on one cluster member to all other members. This includes, for example, changes or additions to saved searches, lookup tables, and dashboards. For example, when a user in Splunk Web defines a field extraction, the cluster replicates that field extraction to all other search heads in the cluster.
In addition, the cluster replicates a few other runtime changes as well, such as changes to users and roles.
See "Configuration updates that the cluster replicates."
Deployed changes
The cluster does not replicate all configuration changes, but rather only certain changes, primarily to knowledge objects, made at runtime through Splunk Web, the CLI, or the REST API. For other configuration changes and additions, you must explicitly push the changes to all cluster members. You do this through a special Splunk Enterprise instance called the deployer.
Examples of changes that require use of the deployer include any configuration files that you edit directly. For example, if you make a change in limits.conf
, you must push the change through the deployer. Similarly, if you directly edit a knowledge object configuration file, like savedsearches.conf
, you must use the deployer to distribute it to cluster members. In addition, you must use the deployer to push new or upgraded apps to the cluster members.
You also use the deployer to migrate app and user settings from an existing search head pool or standalone search head to the search head cluster.
See "Use the deployer to distribute apps and configuration updates."
Add non-clustered search peers to a search head cluster
Adding non-clustered search peers (that is, indexers that are not part of an indexer cluster) to the search head cluster is an example of the type of configuration change that the cluster does not replicate automatically. At the same time, however, it might not be convenient to add search peers by using the deployer to push an updated distsearch.conf
, because the deployer will then initiate a rolling restart of all cluster members.
To avoid a restart of cluster members, you can use the CLI splunk add search-server
command to add peers to each cluster member individually. For details, see "Connect the search heads in clusters to search peers."
Caution: Complete this operation across all cluster members quickly, so that all members maintain the same set of search peers.
The Settings menu in Splunk Web organizes settings into several groups, including one called Knowledge, which contains the knowledge object settings. Search head clustering hides most non-Knowledge groups in each member's Settings menu by default. For example, it hides settings for data inputs and the distributed environment. You can unhide the hidden groups, if necessary.
The reason for hiding non-Knowledge settings is that the cluster only replicates certain setting changes, mainly those in the Knowledge category. If you make a change on one member to a setting in a non-Knowledge category, the cluster, with a few exceptions, does not automatically replicate that change to the other members. This can lead to the members being out of sync with each other.
If you need to access a hidden setting on a member, you can unhide those settings:
1. Click Settings in the upper right corner of Splunk Web. A list of settings, mainly limited to the Knowledge group, appears.
2. Click the Show All Settings button at the end of the list. A dialog box reminds you that hidden settings will not be replicated.
3. To continue, click Show in the dialog box. The full list of settings, dependent on your role permissions, appears.
The settings are now unhidden for all users with permission to view them; typically, all admin users. To rehide the settings, you must restart the instance.
Important: If you make a change to a hidden setting, the changed configuration will exist only on the cluster member where you made the change. If you want other members to get that change as well, you must use the deployer to push the underlying configuration file for that setting.
CLI commands and cluster members
Most general and search-related CLI commands are available for use on cluster members. If you run the command on one member, the cluster replicates the resulting configuration changes to the other members.
However, do not run the splunk clean
command, in any of its variants, on an active cluster member. For example, the splunk clean all
command should only be run after a member is removed from the cluster, as that command deletes the _raft
folder, /etc/passwd
, and so on. Similarly, if you run splunk clean userdata
on one member, the user data will be cleaned on that member only. The change will not replicate to the other members, causing user/role information to differ between members.
For more information on replicated changes, see "Configuration updates that the cluster replicates."
Set a security key for the search head cluster | Configuration updates that the cluster replicates |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!