Solved: Re: Search Head Cluster member removal

coreyf311 · ‎04-12-2018

How can I remove a search head cluster member when that member is down? Power outage at a location took down two of our search head cluster members for a week. I cant push bundles from the Deployer while these two are down. How can I remove them from the cluster while they are down so that the rest of the cluster can operate as intended?

p_gurav · ‎04-12-2018

You can use remove member command. Below docs:
https://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/Removeaclustermember

View solution in original post

coreyf311 · ‎04-13-2018

we have majority. The SHC in total is 6 SH's. So we currently have 4 SH's up and available and 2 that are down and unavailable.

somesoni2 · ‎04-12-2018

I'm guessing you can't deploy because you lost majority for captain election. In cases like this, you'd assign one of available node as static captain so that SHC can function. See this for more info on how to do it.

http://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/Staticcaptain

p_gurav · ‎04-12-2018

You can use remove member command. Below docs:
https://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/Removeaclustermember

coreyf311 · ‎04-12-2018

does not work because the member i am trying to remove is not available. its down due to a power outage in the DC it is hosted.

def65483 · ‎08-07-2019

How is this the accepted answer? It does not explain at all the process to remove an already downed member from a cluster. If I missed it, please explain.

Search Head Cluster member removal

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023