Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Will uninstalling a search head from a distributed search environment using Add/Remove programs remove it from the topology, or are there additional steps?

wjmurphy
New Member
‎08-25-2015 12:39 PM

We have a distributed Splunk Enterprise environment running 6.1. There are two search heads. I believe the original goal was to set up search head pooling. Before I upgrade to 6.2.x, I'd like to clean out this old search head that doesn't appear to be used for anything (Splunkd and Splunkweb services have been disabled on this since I inherited it.) Will running the uninstall from Add/Remove programs remove it out of the topology or are additional steps required?

Thanks

0 Karma
Reply

jensonthottian
Contributor
‎08-25-2015 01:14 PM

check using _internal index as to what the old SH is being used for. You may want to move all the views, alerts, saved searches, report and apps from this SH, maybe create a backup.

0 Karma
Reply

tskinnerivsec
Contributor
‎08-25-2015 12:57 PM

It won't be part of the installation any more after your uninstall, but there will likely be some cleanup that needs to be done, depending on how your environment is set up. Most of it will be house keeping type things. Some examples of this will be if you were using the distributed management console, you would need to remove the search head as a search peer to keep it from alerting in the console. If you are using the sos app, /opt/splunk/etc/apps/sos/lookups/splunk_servers_cache.csv to get it out of the list on the sos app. If you were forwarding its logs to indexers, you will still see it show up in some internal searches if activity has occurred on it in the recent past. etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...