Deployment Architecture

Why am I unable to delete search peers from the Distributed Management Console?

saurabh009
Path Finder

Hi,
I am unable to remove search peers from the Distributed Management Console. When I try to remove it from Splunk Web, i get below error:-

Error occurred attempting to remove XXX.XXX.XXX.XX:8089(intentionally masked): Cannot remove peer=https://XXX.XXX.XXX.XX:8089. 

This peer is a part of a search head cluster. I have already removed the cluster master from the search peer list. I also tried removing it from splunk_home/etc/system/local/distsearch.conf.
Tried removing using CLI command

splunk remove search-server -auth admin:password XXX.XXX.XXX.XX:8089

but it gives same error and peer persist in the search peer list.
Please let me know how I can remove all search peers which are part of the cluster.

Thanks

1 Solution

skalliger
Motivator

You're mixing up a few terms here. A search peer is an indexer. An indexer is not part of a search head cluster. So, do you want to remove a search peer from your indexer cluster or do you want to remove a search head cluster member?

Depending on your answer, the commands are quite different.
For a search head, you can either use

splunk remove shcluster-member

on your search head (not allowed if it is a captain) or

splunk remove shcluster-member -mgmt_uri <URI>:<management_port>

https://docs.splunk.com/Documentation/Splunk/6.5.1/DistSearch/Removeaclustermember

If it is an indexer, you have to stop it first and then use a command from the master:

splunk remove cluster-peers -peers <guid>

https://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Removepeerfrommasterlist

Skalli

View solution in original post

0 Karma

skalliger
Motivator

You're mixing up a few terms here. A search peer is an indexer. An indexer is not part of a search head cluster. So, do you want to remove a search peer from your indexer cluster or do you want to remove a search head cluster member?

Depending on your answer, the commands are quite different.
For a search head, you can either use

splunk remove shcluster-member

on your search head (not allowed if it is a captain) or

splunk remove shcluster-member -mgmt_uri <URI>:<management_port>

https://docs.splunk.com/Documentation/Splunk/6.5.1/DistSearch/Removeaclustermember

If it is an indexer, you have to stop it first and then use a command from the master:

splunk remove cluster-peers -peers <guid>

https://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Removepeerfrommasterlist

Skalli

0 Karma

saurabh009
Path Finder

Thanks,

I am able to remove it from the DMC peer list by removing cluster masters from /system/local/server.conf.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...