Splunk Enterprise

Delete Stanza from Distsearch on Search Head Cluster

klischatb
Path Finder

Hello to all,
following problem make  some trouble for me, hope u can help.

In a Search-Head-Cluster all Peers have under "splunk/etc/system/local" a distsearch.conf.
There is a Stanza which i want to delete, but after a restart it suddenly appears again.

What i tried was...
- delete Stanza on every peer
- After delete Stanza on every instance restart the cluster (splunk rolling-restart)
- Check deployer for apps

After this, the Stanza appeard again.


Example:
I want this:
[distributedSearch]
servers = https://server1:8089, https://server2:8089, https://server3:8089 

look like this:
[distributedSearch]
servers = https://server1:8089, https://server3:8089 

On my deployer is no app which will affect the distsearch.conf in my SHC.
Normaly an app would go under /splunk/etc/apps.

I Just inherited the Environment and not 100% sure about every connection.

Thank you for your help/comments

Labels (2)
0 Karma
1 Solution

anilchaithu
Builder

@klischatb 

 

  • The peers will be added to search head cluster by default when you integrate it with indexer cluster (from cluster master).
  • If you no longer have this peer (server 2), you need to remove it from the indexer cluster and then the cluster master.

 

-- Hope this helps

View solution in original post

klischatb
Path Finder

I checked some connections today and i found more interesting things:
Server 1 is a Cluster Master ; Server 2 was a Standalone indexer (Not Multiside) ; Server 3 (Still active is a Standalone Indexer too, not Multiside)

I can run searches on the Cluster and on server 3.

whatever, it is not possible to delete server 2 from the Stanza of Distsearch.

0 Karma

klischatb
Path Finder

@anilchaithu thank you for your help.
I will try this today and report the result.

0 Karma

anilchaithu
Builder

@klischatb 

 

  • The peers will be added to search head cluster by default when you integrate it with indexer cluster (from cluster master).
  • If you no longer have this peer (server 2), you need to remove it from the indexer cluster and then the cluster master.

 

-- Hope this helps

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!