I have one standalone search head connected to 2 indexer clusters now. I would like to upgrade the standalone search head to a Search Head Cluster (with 3 members and a deployer). Is this possible? How to configure the Search Head Cluster to connect 2 indexer cluster for distribution search?
Backup all the user and app configurations from the standalone search head to the deployer.
Wipe out the Splunk instance from the standalone search head. Delete all directories, configurations, etc.
Install Splunk on each of the 3 search heads and set the basic settings such as server name etc.
Configure each of the search heads as members of BOTH indexer clusters, just as you did before on the standalone search head.
Create the search head cluster (SHC) by initializing each member and then bootstrapping a captain.
Add the deployer to the SHC and configure the deployer url on each search head.
Use the deployer to send out all the user and app configurations to all the SHC members.
Be sure to completely re-install Splunk on the stand-alone search head before you add it to the SHC. Otherwise, you will have one search head that is out of sync with the others. This will surely cause problems.
Review the apps and user materials that you saved from the stand-alone search head to the deployer. REMOVE the default apps (search, launcher, etc. - the apps that ship with Splunk) as they should NOT be managed by the deployer. If you need to save something from the search app for example, make a new app and copy over the things that need to be saved.