Deployment Architecture

How to upgrade a standalone search head to a Search Head Cluster, and connect the SHC to 2 Indexer Clusters?

New Member

I have one standalone search head connected to 2 indexer clusters now. I would like to upgrade the standalone search head to a Search Head Cluster (with 3 members and a deployer). Is this possible? How to configure the Search Head Cluster to connect 2 indexer cluster for distribution search?

0 Karma

Legend

This is entirely possible.

  1. Set up the deployer.
  2. Backup all the user and app configurations from the standalone search head to the deployer.
  3. Wipe out the Splunk instance from the standalone search head. Delete all directories, configurations, etc.
  4. Install Splunk on each of the 3 search heads and set the basic settings such as server name etc.
  5. Configure each of the search heads as members of BOTH indexer clusters, just as you did before on the standalone search head.
  6. Create the search head cluster (SHC) by initializing each member and then bootstrapping a captain.
  7. Add the deployer to the SHC and configure the deployer url on each search head.
  8. Use the deployer to send out all the user and app configurations to all the SHC members.

Tips:

  • Be sure to completely re-install Splunk on the stand-alone search head before you add it to the SHC. Otherwise, you will have one search head that is out of sync with the others. This will surely cause problems.
  • Review the apps and user materials that you saved from the stand-alone search head to the deployer. REMOVE the default apps (search, launcher, etc. - the apps that ship with Splunk) as they should NOT be managed by the deployer. If you need to save something from the search app for example, make a new app and copy over the things that need to be saved.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!