Hello
I have a standalone search head which is not a part of an indexer cluster. In this case, do I need to point the search head to the master node of the cluster, or do I need to point it to the peer nodes? (What I am thinking is I should point it to the master node)
Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.
Steps to setup a Search Head
You can install one or more search heads to handle your distributed search needs. Search heads are just full Splunk Enterprise instances that have been specially configured.
You can setup search head either from Splunk web interface or using the command line as follows.
Enable search peers in search heads by navigating to Settings -> Distributed Search -> Search peers - > New & add indexer IP Address to talk to. Make sure to have the unique server name for each member of the cluster. User can do it in two ways as below:
1) From Splunk GUI under Settings -> Server settings -> General Settings update the field "Splunk server name".
2) Edit the field "serverName" in the /etc/system/local/server.conf file and then restart the Splunk.
Hope this helps !
This isn't how you add an SH to an indexer cluster.
Master Node is the correct because it will coordinate wich indexer the search head will search. If you point the indexers you will see duplicated data.
This one is the correct way.