Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Master node shows up as Search head

dif2175509
New Member
‎08-02-2017 12:27 PM

I have defined a cluster as follows:

Splunk-mstb (cluster master)
|
Splunkb (Search head in the cluster)
|
splunk-idxb
|
splunk-fwdb

and both my Splunkb and splunk-mstb show up as search heads.

My server.conf only has the following in it:

[clustering]
mode = master

How can I remove the errant Search head entry (and from where)?

Tags (1)
0 Karma
Reply

dif2175509
New Member
‎08-03-2017 02:52 AM

There is no overlap between msta and mstb clusters.

All the VM names are correct (as well as the names within the Splunk instance). I have built the clusters but not defined any indexes yet.

The GUI in the cluster, msta, shows the correct indexer peers (idxa and idxc) and search head (splunka)

The GUI in the cluster, mstb, shows the correct index peer (idxb) and two search heads (mstb and splunkb).

If i was getting similar behavior in both clusters it would not cause concern.

0 Karma
Reply

bheemireddi
Communicator
‎08-02-2017 03:15 PM

dif2175509,

When you configure the indexer cluster, cluster master will show up as one of the search heads. This is default behavior.In this case you can use the master node for the troubleshooting purposes and not really for production searches.

0 Karma
Reply

dif2175509
New Member
‎08-02-2017 04:25 PM

I have a second cluster defined:

Splunk-msta (cluster master)
|
Splunka (Search head in the cluster)
|                  |
splunk-idxa  & splunk-idxc
|
splunk-fwda

and only splunka shows up as search heads (not splunka and splunk-msta).

Why do i not see same behavior with this cluster?

0 Karma
Reply

bheemireddi
Communicator
‎08-02-2017 07:05 PM

Are you sure of the configurations on this cluster where you don't see Cluster master as the search head?
Do you see the cluster enabled when you login to the Cluster Master GUI? is the master configured with correct mode? your hostnames overlap between first and second cluster.. hopefully you have the right names in the configurations

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...