Getting Data In

How to add more indexers to your existing indexer cluster?

Path Finder

Not finding much on this subject, and looking for a little guidance...

I already have an indexer cluster up and running with (2) indexers in the cluster. Looking to add a new indexer to that pool. From reading it looks like I...

1) enter maintenance mode on the cluster master...
2) up the search factor/replication factor (if desired)...
3) enable indexer clustering on the new indexer and join the indexer to the master (peer node configuration)
4) ensure all indexes are recreated on the new indexer
5) Data rebalance
6) Bring master out of maintenance mode
7) Push out new outputs.conf to forwarders with 3rd indexer info as well


Splunk Enterprise 6.5.0

0 Karma


The process for adding an indexer to a cluster is documented at . The steps apply to earlier versions of Splunk, not just 8.0.1.

If this reply helps you, Karma would be appreciated.

Splunk Employee
Splunk Employee


1) install splunk the same way you did for other indexer and enable indexer clustering on the new indexer
-> the indexer join the cluster, get the index list, apps to be deployed on indexers, ... become a target for replication and search head learn that it exist.
2) Push out new outputs.conf to forwarders with 3rd indexer info as well
3) up the search factor/replication factor (if desired)...
4)if needed Data rebalance

0 Karma


Dear All
I follow all steps above but the new indexers can't add is there any settings need to do in cm

0 Karma


If they can't add, are the definitely the same version as the other indexers? Are they the same operating system? Do they have the required ports open for replication and communication to the master? Is there a network route from them to the master and to the other peers? Is there a firewall that needs configured (both on the network and on the host). Are the new indexers using the correct pass4SymmKey? Is there a typo in the name of the clustermaster in server.conf [clustering] stanza?

As a troubleshooting measure, take a look at $SPLUNK_HOME/var/log/splunk/splunkd.log for WARN or ERROR messages concerning clustering on the new indexers. The reason why they can't join will likely be explained there.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...