Solved: Unable to remove Search Peer from Search Head

cburgman · ‎07-17-2017

Just recently enabled HTTPs in my environment. I was able to remove and re add search peers to 2 other search heads with no issues. However, I have one that is giving me issues. When I attempt to remove a search peer i am getting:

Error occurred attempting to remove 10.x.x.x:8089: In handler 'distsearch-peer': Cannot remove peer=10.x.x.x:8089. This peer is a part of a cluster.

Tried from GUI and CLI. Both are giving the same error. Any ideas or troubleshooting suggestions?

masonmorales · ‎07-17-2017

Clustered search peers have to be removed at the cluster's master node. Take a look at: https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Removepeerfrommasterlist

Explanation: When a search head is connected to an indexer cluster, it receives its distributed peer list from the master node.

View solution in original post

masonmorales · ‎07-17-2017

Clustered search peers have to be removed at the cluster's master node. Take a look at: https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Removepeerfrommasterlist

Explanation: When a search head is connected to an indexer cluster, it receives its distributed peer list from the master node.

Unable to remove Search Peer from Search Head

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?