Deployment Architecture

How to upgrade a standalone search head to a Search Head Cluster, and connect the SHC to 2 Indexer Clusters?

New Member

I have one standalone search head connected to 2 indexer clusters now. I would like to upgrade the standalone search head to a Search Head Cluster (with 3 members and a deployer). Is this possible? How to configure the Search Head Cluster to connect 2 indexer cluster for distribution search?

0 Karma


This is entirely possible.

  1. Set up the deployer.
  2. Backup all the user and app configurations from the standalone search head to the deployer.
  3. Wipe out the Splunk instance from the standalone search head. Delete all directories, configurations, etc.
  4. Install Splunk on each of the 3 search heads and set the basic settings such as server name etc.
  5. Configure each of the search heads as members of BOTH indexer clusters, just as you did before on the standalone search head.
  6. Create the search head cluster (SHC) by initializing each member and then bootstrapping a captain.
  7. Add the deployer to the SHC and configure the deployer url on each search head.
  8. Use the deployer to send out all the user and app configurations to all the SHC members.


  • Be sure to completely re-install Splunk on the stand-alone search head before you add it to the SHC. Otherwise, you will have one search head that is out of sync with the others. This will surely cause problems.
  • Review the apps and user materials that you saved from the stand-alone search head to the deployer. REMOVE the default apps (search, launcher, etc. - the apps that ship with Splunk) as they should NOT be managed by the deployer. If you need to save something from the search app for example, make a new app and copy over the things that need to be saved.
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...