Hi All,
I need to connect a new indexer cluster which are in GCP to an existing splunk SHC. I read the below document.
Integrate the search head cluster with an indexer cluster - Splunk Documentation
Integrate with a single-site indexer cluster
Do I need to execute on all the SHC and then do a rolling restart? OR I need to execute on one SH, perform the restart and then follow the same on other SH? also, do I need to start with captain or non-captain?
There is one more way, via GUI part:
Enable the search head - Splunk Documentation
It didn't mention whether I need to apply this on only one SH which is in cluster or on all the SH. can anyone help me with this? Thanks.
Hi. The way we do it is with an app that we put on the Splunk deployer in a special app e.g. /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf
Next we deploy the app to the search head cluster members. The deployer will determine whether a rolling restart of the heads is needed.
So we follow this https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuresearchheadwithserverconf
For example this goes in /opt/splunk/etc/shcluster/apps/my_idxcluster/default/server.conf
[clustering]
manager_uri = https://indexer_cluster_manager_url:8089
mode = searchhead
pass4SymmKey = whatever
Here are instructions for connecting to multiple clusters both single and multi sites. https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Configuremulti-clustersearch