Archive
Highlighted

how to configure "mode" of server.conf in multiple site cluster

Explorer

I am going to create a multiple site cluster with Splunk 6.5 enterprise.

According to Splunk document of "Configure multisite indexer clusters with server.conf". the "mode" under "[clustering]" section is supposed to be either "master"(for master indexer), "slave"(for peer-node indexer), or "searchhead"(for search head)

I would like each Splunk instance host in my cluster can do both search and indexing, what is the mode value I shall configure it?

0 Karma
Highlighted

Re: how to configure "mode" of server.conf in multiple site cluster

Splunk Employee
Splunk Employee

Your indexer cluster peer nodes are "slave", the machine you use as a cluster master will be "master" and the search head(s) you will use to search across your cluster will be "searchhead", which will get its list of search peers from the cluster master periodically.
Your cluster peers are search peers by definition, the search head will interact with each peer when users run searches on the search head. Your users MUST NOT have access to the UI of the cluster peers directly for searching; everything search will be coordinated by the SH and CM.

View solution in original post

0 Karma
Highlighted

Re: how to configure "mode" of server.conf in multiple site cluster

Explorer

I want each of my Splunk instance to play both search head and a indexer role (either master or slave ) on the same box in the multiple site cluster, is is supported?
I think your point is my master node (master+search head) shall use "master", slave node (slave+search head) shall go with "slave". the node as search peer only without any indexer functionality will use "searchhead", is it correct?

0 Karma
Highlighted

Re: how to configure "mode" of server.conf in multiple site cluster

Splunk Employee
Splunk Employee

No, it is not supported. In any distributed environment, search roles must be separated from indexer roles. In a clustered environment, the cluster master cannot be on the same machine than a cluster peer.
You need at least one search head, one cluster master and two indexer peer nodes to deploy a valid cluster.
Please study this page carefully; it states

Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer. Under certain limited circumstances, however, the master instance can handle a few other lightweight functions. See "Additional roles for the master node".

0 Karma