I am currently needing to change our single site cluster to a two indexer configuration that is peered for ease of maintenance for the next person who replaces me at this site. I currently have 2 indexers, 1 deployment server, 1 cluster/license master and 1 search head. Here is what I need to do.
First - Move all Splunk forwarders to use the second indexer as the deployment server without having to reinstall all the forwarders. I thought that his was as simple as changing the deployment.conf file, but it does not seem to be working. Maybe the cluster master has something?
Second - Remove the indexers from the cluster and delete the cluster from the Cluster Master and break the distributed search.
Third - Change the license server to the first indexer
At this point, I can shut down all servers except the indexer and everything will work.
If there is anyone that can help me, I would greatly appreciate it. I want to do this as quickly and smoothly as possible.
Thank you in advanced.
If you really want to be considerate of your replacement, you'll leave everything as it is. Spend the time you would have used on breaking the environment and, instead, document what is there and how it works. Maybe write a few scripts to help out. I envision a lot may go wrong in such a radical re-architecture and your replacement may be stuck fixing the damage.
I understand what you are saying for me to do, however my customer has asked me to put it back to a simpler configuration. It means changing it back to 2 indexers without the rest of the servers as my replacement will probably not have the knowledge and experience that I have. That is not saying that I have a lot either. That is why I am asking for assistance in doing this. So if there is anyone who can assist me, I would greatly appreciate it.