Deployment Architecture

How do I remove a search head that is appearing under the Indexer Clustering page?



I've got problem - I added an additional search head to a Splunk cluster (not search head cluster) and I can see it under Indexer Clustering: Master Node search head bookmarks. I was testing search just to check something and now I want to delete it from the cluster, but no success. I was using splunk remove search-server but got

In handler 'distsearch-peer': There is no search peer with a URI of Either the URI you entered is incorrect or the search peer has already been removed.

But the url is correct of course and peer still appears in Indexer Clustering page. cluster-peers with guid isn't working too.

Any ideas how to clean this mess up?


I also had the same issue (using Splunk version 7.2.7), and a restart of the cluster master did not help.

First, you need to disable indexer clustering on the search head you want to remove. In Splunk Web, go to Settings --> Indexer Clustering. Then remove the cluster master you do not want to collect data from, which is only working if it is not the only cluster master. If it is the only one, click on Edit --> Disable Indexer Clustering instead.

Afterwards, the search head will show as "Unavailable" in the monitoring console of the cluster master.

After some digging through the configuration files of the cluster master (looking for the search head's IP address and host name), I found some leftovers of the removed search head:

  1. In the [settings] stanza of $SPLUNK_HOME$/etc/apps/splunk_monitoring_console/local/splunk_monitoring_console_assets.conf in the configuredPeers key
  2. In $SPLUNK_HOME$/etc/apps/splunk_monitoring_console/lookups/assets.csv
  3. In $SPLUNK_HOME$/etc/apps/splunk_monitoring_console/lookups/dmc_forwarder_assets.csv

After removing those leftovers and restarting splunkd, the search head had also been removed from the cluster master.

Path Finder

I had the same issue and a restart of Splunk on the index master cleared it up.

0 Karma

Splunk Employee
Splunk Employee

What does your server.conf file look like on the Cluster Master, Indexers (search peers), and search head look like?

0 Karma


pass4SymmKey = xxxxxxxxxx
serverName = xxxxxxxxxx
site = site4

available_sites = site4,site2
mode = master
multisite = true
pass4SymmKey = xxxxxxxxxxxxxx
site_replication_factor = origin:1,site2:2,site4:2,total:5
site_search_factor = origin:1,site2:2,site4:2,total:5


pass4SymmKey = xxxxxx
serverName = xxxxxxx
site = site4

master_uri = xxxxxxxx
mode = slave
pass4SymmKey = xxxxxxx

Search head

pass4SymmKey = xxxxxxxx
serverName = xxxxxxxx
site = site4
sessionTimeout = 8h

master_uri = xxxxxxx
mode = searchhead
multisite = true
pass4SymmKey = xxxxx

As you can see - nothing unusual

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...