How to connect a SHC to Indexer cluster?

vinothkumark · ‎05-02-2023

Hi All,

I need to connect a new indexer cluster which are in GCP to an existing splunk SHC. I read the below document.

Integrate the search head cluster with an indexer cluster - Splunk Documentation

Integrate with a single-site indexer cluster

Do I need to execute on all the SHC and then do a rolling restart? OR I need to execute on one SH, perform the restart and then follow the same on other SH? also, do I need to start with captain or non-captain?

There is one more way, via GUI part:

Enable the search head - Splunk Documentation

It didn't mention whether I need to apply this on only one SH which is in cluster or on all the SH. can anyone help me with this? Thanks.

burwell · ‎05-02-2023

Hi. The way we do it is with an app that we put on the Splunk deployer in a special app e.g. /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf

Next we deploy the app to the search head cluster members. The deployer will determine whether a rolling restart of the heads is needed.

So we follow this https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuresearchheadwithserverconf

For example this goes in /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf

[clustering]
manager_uri = https://indexer_cluster_manager_url:8089
mode = searchhead
pass4SymmKey = whatever

isoutamo · ‎05-02-2023

Here are instructions for connecting to multiple clusters both single and multi sites. https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuremulti-clustersearch

How to connect a SHC to Indexer cluster?

administration

configuration

installation

other

using Splunk Enterprise

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms