Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Removing deployer from one of the search head clusters

anglewwb35
Explorer
‎01-27-2025 11:44 PM

Currently I am adopting the same deployer to two different search head cluster and would like to remove it from one of the clusters. However, I cannot find any official documentation related to it. Could anyone tell me how to do it? Thank you so much

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-28-2025 11:04 AM

Here is instructions how to backup and restore deployer https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/BackuprestoreSHC

I think that you could just replicate old deployer to new one and change its name, ip and GUID. I’m not sure if there is something on bundles or state files what needs to change etc?

Then change replication url on all those SHC nodes which you are moving to this new cluster to point into it. After that just bring those nodes up one by one and wait that each one is up and there is no errors. After that start next.

Before you start this take offline backups including kvstore and stop all those nodes which belongs to SHC which you are moving away from original deployer.

If there is no need to keep those nodes in SHC anymore, then just remove those nodes from SHC and use those as individual SH.

Note: I haven’t try this by myself, so you take the risk by yourself!

0 Karma
Reply

dural_yyz
Motivator
‎01-28-2025 07:43 AM

Sorry are you:

1) Trying to make a single Search Head Deployer serve 2 individual clusters?

OR

2) Trying to move a single Search Head Deployer away from Cluster X and now server Cluster Y

0 Karma
Reply

anglewwb35
Explorer
‎01-31-2025 12:08 AM

Hi~ I am trying to make a single Search Head deployer serving 2 individual search head clusters

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2025 02:32 AM

Honestly, I've never heard about such possibility. Since you're bootstrapping a SHC member from a deployer, how would you decide which SH is a part of which cluster? Also if you're applying shcluster bundle, you're pushing it to one member and let others replicate their config from there. How would you expect to do it with two SHCs? (OK, you could do the push explicitly to two different SHs but I'm not sure if that would work).

Why do you even want to to something like that? If you have enough machines and they are supposed to have the same config why not create a single SHC?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-31-2025 07:10 AM
Based on documentation this is supported configuration. There could be several SHC serving by one deployer, but all those SHCs must have an equal configuration. Of course they can have different amount of members and those size could be different in every SHC.

But honestly said I couldn't find any real use cases for this.
Only one which comes my mind is that those SHC:s have different user bases and some configuration are managed with SHC GUI (which is not wise).

Definitely it's better and easier way that every SHC has it's own Deployer. Using one Deployer with several SHCs will be road to issues.
0 Karma
Reply

anglewwb35
Explorer
‎02-02-2025 07:08 PM

I can find evidence to back this up, but hard to find any real case. In our case, we're limited by resources, so we can't add more deployers. We're using two search head clusters to keep things separate. This way, if one cluster needs to handle a lot of saved searches, it won't slow down the other one.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-28-2025 06:19 AM
This should works if and only if you are managing those saved searches on SHC's GUI not via deployer.
Of course you must install those apps 1st with deployer and it installs those on both SHC:

You must also understand that those both SHC:s probably use same indexers and then indexers can actually be your bottleneck not SHCs?
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2025 07:18 AM

OK. Yes.  I found it.

https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_...

"Deploy to multiple clusters

The deployer sends the same configuration bundle to all cluster members that it services. Therefore, if you have multiple search head clusters, you can use the same deployer for all the clusters only if the clusters employ exactly the same configurations, apps, and so on.

If you anticipate that your clusters might need different configurations over time, set up a separate deployer for each cluster."

But honestly,  I can't think of any reasonable use case for this.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top