Deployment Architecture

How to connect a standalone search head to an indexer cluster?

Path Finder

Hello

I have a standalone search head which is not a part of an indexer cluster. In this case, do I need to point the search head to the master node of the cluster, or do I need to point it to the peer nodes? (What I am thinking is I should point it to the master node)

0 Karma
1 Solution

Path Finder

Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.

0 Karma

Path Finder

Steps to setup a Search Head

You can install one or more search heads to handle your distributed search needs. Search heads are just full Splunk Enterprise instances that have been specially configured.
You can setup search head either from Splunk web interface or using the command line as follows.
Enable search peers in search heads by navigating to Settings -> Distributed Search -> Search peers - > New & add indexer IP Address to talk to. Make sure to have the unique server name for each member of the cluster. User can do it in two ways as below:
1) From Splunk GUI under Settings -> Server settings -> General Settings update the field "Splunk server name".
2) Edit the field "serverName" in the /etc/system/local/server.conf file and then restart the Splunk.

Hope this helps !

0 Karma

Influencer

This isn't how you add an SH to an indexer cluster.

0 Karma

Builder

Master Node is the correct because it will coordinate wich indexer the search head will search. If you point the indexers you will see duplicated data.

0 Karma

Communicator

This one is the correct way.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!