Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does the search header cluster change to a single search header instance?

bestSplunker
Contributor
‎01-27-2019 07:39 PM

I have a single site cluster that architecture is as follows:

search header cluster: 4 search head + a deployer
indexer cluster : 5 peer node + 1 master node

1、I don't want to use search header clustering now. I want to change the architecture to a single search instance . What should I do?

I want to change to :

a search head and no deployer
indexer cluster : 3 peer node + 1 master node

https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Removeaclustermember
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Removepeerfrommasterlist

Do I just need to remove 3 cluster members from SHC and remove 2 peer node from indexer cluster with reference to the above document? ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-27-2019 08:15 PM

I have been unable to find specific documentation about this scenario, but I think this process should work:

  1. With all search heads running, make sure the configuration is synced across cluster members (make sure noone is making changes).
  2. Stop all search heads and search head deployer.
  3. On the box you want to use as a standalone, edit etc/system/local/server.conf and comment out the [shclustering] section and [replication_port:.. sections.
  4. Start splunk on the solo box. Don't ever turn on the other boxes again.

Yes you can convert to a single indexer if you have enough storage space. You can use the instructions here: https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Takeapeeroffline#Take_a_peer_down_permane...

View solution in original post

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-27-2019 08:15 PM

I have been unable to find specific documentation about this scenario, but I think this process should work:

  1. With all search heads running, make sure the configuration is synced across cluster members (make sure noone is making changes).
  2. Stop all search heads and search head deployer.
  3. On the box you want to use as a standalone, edit etc/system/local/server.conf and comment out the [shclustering] section and [replication_port:.. sections.
  4. Start splunk on the solo box. Don't ever turn on the other boxes again.

Yes you can convert to a single indexer if you have enough storage space. You can use the instructions here: https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Takeapeeroffline#Take_a_peer_down_permane...

Reply
Solved! Jump to solution

bestSplunker
Contributor
‎01-28-2019 06:06 AM

The last question , can I convert an indexer cluster to an indexer? At present, the search factor is 2 and the replication factor is 3, which means that the indexer keeps two searchable copies. If I remove multiple peers from the indexer, if I guarantee that an indexer's data is complete?How can I do this without loss and repetition?

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-28-2019 11:28 AM

Hi, You cannot have a SF or RF of more than 1 if you only have one indexer. You would need to keep at least 3 indexers. Otherwise reduce your SF/RF first.

0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎01-29-2019 01:52 AM

@chrisyoungerjds thank you for your reply. now ,I want to convert to 1 search head + indexer cluster with 3 peer nodes+1 master node. According to the above method, can I really do it? Now replication factor 3, the search factor is 2. If I convert, should the replication factor be changed to 2 and the search factor changed to 1?

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-29-2019 01:58 AM

You need to have as many indexers as you have SF/RF. So if you have SF2/RF2 then you only need two indexers. If you have SF1/RF2 then you need two indexers still. If you have SF1/RF2 and one indexer dies, you won't lose data but you will need to spend time rebuilding the indexes. How long this takes depends on how much data you have. I hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...