Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to configure "mode" of server.conf in multiple site cluster

danielwan
Explorer
‎07-24-2017 07:15 PM

I am going to create a multiple site cluster with Splunk 6.5 enterprise.

According to Splunk document of "Configure multisite indexer clusters with server.conf". the "mode" under "[clustering]" section is supposed to be either "master"(for master indexer), "slave"(for peer-node indexer), or "searchhead"(for search head)

I would like each Splunk instance host in my cluster can do both search and indexing, what is the mode value I shall configure it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎07-24-2017 11:38 PM

Your indexer cluster peer nodes are "slave", the machine you use as a cluster master will be "master" and the search head(s) you will use to search across your cluster will be "searchhead", which will get its list of search peers from the cluster master periodically.
Your cluster peers are search peers by definition, the search head will interact with each peer when users run searches on the search head. Your users MUST NOT have access to the UI of the cluster peers directly for searching; everything search will be coordinated by the SH and CM.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎07-24-2017 11:38 PM

Your indexer cluster peer nodes are "slave", the machine you use as a cluster master will be "master" and the search head(s) you will use to search across your cluster will be "searchhead", which will get its list of search peers from the cluster master periodically.
Your cluster peers are search peers by definition, the search head will interact with each peer when users run searches on the search head. Your users MUST NOT have access to the UI of the cluster peers directly for searching; everything search will be coordinated by the SH and CM.

0 Karma
Reply
Solved! Jump to solution

danielwan
Explorer
‎07-25-2017 12:57 AM

I want each of my Splunk instance to play both search head and a indexer role (either master or slave ) on the same box in the multiple site cluster, is is supported?
I think your point is my master node (master+search head) shall use "master", slave node (slave+search head) shall go with "slave". the node as search peer only without any indexer functionality will use "searchhead", is it correct?

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎07-31-2017 10:14 AM

No, it is not supported. In any distributed environment, search roles must be separated from indexer roles. In a clustered environment, the cluster master cannot be on the same machine than a cluster peer.
You need at least one search head, one cluster master and two indexer peer nodes to deploy a valid cluster.
Please study this page carefully; it states

Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer. Under certain limited circumstances, however, the master instance can handle a few other lightweight functions. See "Additional roles for the master node".

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...