Hello Guys,

I am preparing for Splunk Enterprise Admin certification and I am getting a bit confused by the documentation in Splunk docs.

Namely, there are two different statements in distsearch.conf stanza, and not sure which one is the right one.

Splunk/8.1.2/DistSearch/Configuredistributedsearch - here states:

"Add the search peers

To connect the search peers:

1. On the search head, create or edit a distsearch.conf file in $SPLUNK_HOME/etc/system/local.

2. Add the search peers to the servers setting under the [distributedSearch] stanza. Specify the peers as a set of comma-separated values (host names or IP addresses with management ports). For example:

[distributedSearch]
servers = https://192.168.1.1:8089,https://192.168.1.2:8089

Note: You must precede the host name or IP address with the URI scheme, either "http" or "https"."

Splunk/8.1.2/DistSearch/Distributedsearchgroups - the other one here states:

"You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

You define distributed search groups in distsearch.conf.

For example, to create the two search groups NYC and SF, create stanzas like these:

[distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

[distributedSearch:NYC]
# This stanza lists the set of search peers in New York.
default = false
servers = 192.168.1.1:8089, 192.168.1.2:8089

[distributedSearch:SF]
# This stanza lists the set of search peers in San Francisco.
default = false
servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089

In the first example, it says that "http/https" is required in hostname/IP under servers variable in [distriburedSearch] stanza, the other one omits it and does not say anything about "http/https" as the required value. I am not at the stage of testing this myself yet, so was thinking maybe I can ask here.

Thanks in advance