Splunk Enterprise

Delete Stanza from Distsearch on Search Head Cluster

klischatb
Path Finder

Hello to all,
following problem make  some trouble for me, hope u can help.

In a Search-Head-Cluster all Peers have under "splunk/etc/system/local" a distsearch.conf.
There is a Stanza which i want to delete, but after a restart it suddenly appears again.

What i tried was...
- delete Stanza on every peer
- After delete Stanza on every instance restart the cluster (splunk rolling-restart)
- Check deployer for apps

After this, the Stanza appeard again.


Example:
I want this:
[distributedSearch]
servers = https://server1:8089, https://server2:8089, https://server3:8089 

look like this:
[distributedSearch]
servers = https://server1:8089, https://server3:8089 

On my deployer is no app which will affect the distsearch.conf in my SHC.
Normaly an app would go under /splunk/etc/apps.

I Just inherited the Environment and not 100% sure about every connection.

Thank you for your help/comments

Labels (2)
0 Karma
1 Solution

anilchaithu
Builder

@klischatb 

 

  • The peers will be added to search head cluster by default when you integrate it with indexer cluster (from cluster master).
  • If you no longer have this peer (server 2), you need to remove it from the indexer cluster and then the cluster master.

 

-- Hope this helps

View solution in original post

klischatb
Path Finder

I checked some connections today and i found more interesting things:
Server 1 is a Cluster Master ; Server 2 was a Standalone indexer (Not Multiside) ; Server 3 (Still active is a Standalone Indexer too, not Multiside)

I can run searches on the Cluster and on server 3.

whatever, it is not possible to delete server 2 from the Stanza of Distsearch.

0 Karma

klischatb
Path Finder

@anilchaithu thank you for your help.
I will try this today and report the result.

0 Karma

anilchaithu
Builder

@klischatb 

 

  • The peers will be added to search head cluster by default when you integrate it with indexer cluster (from cluster master).
  • If you no longer have this peer (server 2), you need to remove it from the indexer cluster and then the cluster master.

 

-- Hope this helps

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...