Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add more indexers to your existing indexer cluster?

joesrepsol
Path Finder
‎04-13-2017 02:22 PM

Not finding much on this subject, and looking for a little guidance...

I already have an indexer cluster up and running with (2) indexers in the cluster. Looking to add a new indexer to that pool. From reading it looks like I...

1) enter maintenance mode on the cluster master...
2) up the search factor/replication factor (if desired)...
3) enable indexer clustering on the new indexer and join the indexer to the master (peer node configuration)
4) ensure all indexes are recreated on the new indexer
5) Data rebalance
6) Bring master out of maintenance mode
7) Push out new outputs.conf to forwarders with 3rd indexer info as well
??

Joe

Splunk Enterprise 6.5.0

Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-19-2019 01:00 PM

The process for adding an indexer to a cluster is documented at https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Addclusterpeer . The steps apply to earlier versions of Splunk, not just 8.0.1.

---
If this reply helps you, Karma would be appreciated.
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎04-13-2017 03:48 PM

Hello

1) install splunk the same way you did for other indexer and enable indexer clustering on the new indexer
-> the indexer join the cluster, get the index list, apps to be deployed on indexers, ... become a target for replication and search head learn that it exist.
2) Push out new outputs.conf to forwarders with 3rd indexer info as well
3) up the search factor/replication factor (if desired)...
4)if needed Data rebalance

0 Karma
Reply

khalidewaidah
Explorer
‎03-05-2018 11:06 PM

Dear All
I follow all steps above but the new indexers can't add is there any settings need to do in cm

0 Karma
Reply

martynoconnor
Communicator
‎12-21-2019 04:11 AM

If they can't add, are the definitely the same version as the other indexers? Are they the same operating system? Do they have the required ports open for replication and communication to the master? Is there a network route from them to the master and to the other peers? Is there a firewall that needs configured (both on the network and on the host). Are the new indexers using the correct pass4SymmKey? Is there a typo in the name of the clustermaster in server.conf [clustering] stanza?

As a troubleshooting measure, take a look at $SPLUNK_HOME/var/log/splunk/splunkd.log for WARN or ERROR messages concerning clustering on the new indexers. The reason why they can't join will likely be explained there.

Reply
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Top