Does the Master Node have to be the License master in a clustered environment ?


In a distributed (but non-clustered) environment, typically the Deployment Server (DS) is made to be the License Master (LM) because that box carries the lowest cpu usage doing it's normal DS duties. I now have a clustered environment and am unsure whether to continue this practice (meaning distributing the app created with the license with a server.conf file) or change to using the Master Node as the LM (due to the _cluster folder for individual .conf file distribution or the Mmaster-apps folder for app distribution to the cluster). I have found no guidance in either the main Admin manual or the Indexing and Clustering manual on this...
Any help or guidance from someone who has done this would be appreciated...


When dealing with a clustered environment, I would strongly recommend that you never let your deployment server touch the masterapps folder.

The process for deploying configuration/apps to a cluster will always be a manual process since you have to execute the apply cluster bundle. The other benefit having it be a manual process is that you can see when errors occur when apply the bundle.

Splunk Professional services allowed me to entertain the idea of having the deployment server manage the maasterapps folder when they were on site but that was quickly removed due to issues. What we found was on windows, the deployment server corrupted the security settings and without knowing it, we deployed the app/settings via apply bundle.

After 30 Minutes waiting for the server to come up from a rolling restart we saw a ton of errors.

So long story short....We excluded the Cluster master from the Deployment server to prevent restarting the cluster master. We removed the masterapps from the deployment server.

Life has been better.

Splunk stilProfessional services and I attempted to get this working but ran into some major roadblocks with the way the deployment server manages security. On several occasions, the deployment server wiped out my security setting and when the cluster apply bundle was executed it propagated the changes.

BTW: Splunk still recommends cluster master being its own box.

My enviroment:
1 License / Deployment Server (VM)
1 Cluster Master
20 Nodes
3 Search Head Pooling servers
2 Dedicated Search Head servers

I hope it helps

Splunk Employee
Splunk Employee

The CM may also be a good candidate for virtualization, imo.

0 Karma


I remember reading that it is recommend to have a search head be the license master. That way if there are any licensing issues you are more likely to see the alerts.


Good question though ...

what does Splunk say about that ?
Specially in an environment where you have distributed search + clustering.
Does the Search Head have to be defined as a slave too ?

Thanks in advance

Splunk Employee
Splunk Employee

The search head should not be a cluster peer (if that's what you meant by slave). You can't mix distributed search and clustering, at least on the search head; enabling it as a search head of a cluster effectively disables distsearch.conf.

0 Karma


There is no requirement for the License Master to be on the same instance as the cluster master. I worked on a customer site yesterday where the Search Head was the License Master.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...