Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Search Head Cluster member removal
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I remove a search head cluster member when that member is down? Power outage at a location took down two of our search head cluster members for a week. I cant push bundles from the Deployer while these two are down. How can I remove them from the cluster while they are down so that the rest of the cluster can operate as intended?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use remove member command. Below docs:
https://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/Removeaclustermember
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have majority. The SHC in total is 6 SH's. So we currently have 4 SH's up and available and 2 that are down and unavailable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing you can't deploy because you lost majority for captain election. In cases like this, you'd assign one of available node as static captain so that SHC can function. See this for more info on how to do it.
http://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/Staticcaptain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use remove member command. Below docs:
https://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/Removeaclustermember
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
does not work because the member i am trying to remove is not available. its down due to a power outage in the DC it is hosted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is this the accepted answer? It does not explain at all the process to remove an already downed member from a cluster. If I missed it, please explain.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
