Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Impossible to remove search head cluster

d123r432k
Engager
a month ago

I configured a search head cluster and configured a captain and added the searchheads to the indexer cluster.

I now want to break the shcluster and have done this so far;

All from the cli:

removed the member that was not the captain, went ok

Tried to remove the other member, didnt work the command just hanged for half an hour before I gave up and aborted it.

Tried to set the captain in static mode, did a clean raft, but still no luck.

configured disabled=1 in the shclustering part of the server.conf and this time it went ok I guess

I now get the message this node is not a part of any cluster configuration.

 

Over to the indexer cluster where I now want to get rid of the searchheads from the GUI which is still showing up as up and running.

ran the command splunk remove cluster-search-heads and that went successful but the searchheads are still there in the indexer clustering GUI

some suggests that this will go away after a few minutes and after a restart of the manager node this will certainly go away. I have now waited a whole day and restarted, but they are still showing up and running with a green checkmark too.

Where does it get its information from and how can I get rid of them?

Labels (1)
Labels
0 Karma
Reply

d123r432k
Engager
a month ago

I solved this by making a new searchhead cluster with the same machines with the same names. When I ran the command everything went fine

splunk edit cluster-config -mode searchhead -manager_uri https://10.152.31.202:8089 -secret newsecret123 -auth login:password

 

The problem was initially that I installed the deployer on the manager node. When I was about to install the enterprise security instance, it needed to be installed on the deployer for some reason. Now everything works as intended, I hope

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @d123r432k ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @d123r432k ,

you have to manually remove, from server.conf the SHC stanzas and restart the three SHs.

Ciao.

Giuseppe

0 Karma
Reply

d123r432k
Engager
a month ago

edit the server.conf on the manager node or on the search heads?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...