Does anyone know how and if I should remove unneeded server roles?


Dear All,

I have a 5-server infrastructure set up, with one Search Head, Two Clustered Indexers, A Cluster Manager/License Manager/Deployment Server and a Heavy Forwarder.

I have looked at the Distributed Management Console and found that the various servers are still configured with roles other than ones that they were configured to have, for instance, the Search Head has the Indexer role, the Indexer has the Search Head role, and the Heavy Forwarder is a Search Head and an Indexer.

It seems wasteful to me to have extra roles and possibly extra processes on the servers. I also need to be able to repeat this via CLI.

Should I disable the unneeded roles? Also, I have been looking around for CLI commands to remove the roles and can'tr find anything. Does anyone know these?

Kindest regards,



You can, but you won't really save that much in terms of system resources IMO. If no one is running searches on your indexer or heavy forwarder, simply running Splunk Web is not going to be adding much load on the system.

Are you forwarding all internal logs from your search heads to your indexers? If not, your search head is also an indexer. Same for your Heavy Forwarder. If you haven't disabled Splunk Web on your Indexers and Heavy Forwarders, then they are also search heads, since they can search their own data.

As far as configuring explicit roles in a cluster, the only configuration I know of is in server.conf, in the clustering stanza:

mode = [master|slave|searchhead|disabled]
    * Sets operational mode for this cluster node.
    * Only one master may exist per cluster.
    * Defaults to disabled.

To disable Splunk Web from CLI, you can do: splunk disable webserver

For help with CLI: splunk help

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.