Splunk Enterprise

how to configure "mode" of server.conf in multiple site cluster

danielwan
Explorer

I am going to create a multiple site cluster with Splunk 6.5 enterprise.

According to Splunk document of "Configure multisite indexer clusters with server.conf". the "mode" under "[clustering]" section is supposed to be either "master"(for master indexer), "slave"(for peer-node indexer), or "searchhead"(for search head)

I would like each Splunk instance host in my cluster can do both search and indexing, what is the mode value I shall configure it?

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

Your indexer cluster peer nodes are "slave", the machine you use as a cluster master will be "master" and the search head(s) you will use to search across your cluster will be "searchhead", which will get its list of search peers from the cluster master periodically.
Your cluster peers are search peers by definition, the search head will interact with each peer when users run searches on the search head. Your users MUST NOT have access to the UI of the cluster peers directly for searching; everything search will be coordinated by the SH and CM.

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Your indexer cluster peer nodes are "slave", the machine you use as a cluster master will be "master" and the search head(s) you will use to search across your cluster will be "searchhead", which will get its list of search peers from the cluster master periodically.
Your cluster peers are search peers by definition, the search head will interact with each peer when users run searches on the search head. Your users MUST NOT have access to the UI of the cluster peers directly for searching; everything search will be coordinated by the SH and CM.

0 Karma

danielwan
Explorer

I want each of my Splunk instance to play both search head and a indexer role (either master or slave ) on the same box in the multiple site cluster, is is supported?
I think your point is my master node (master+search head) shall use "master", slave node (slave+search head) shall go with "slave". the node as search peer only without any indexer functionality will use "searchhead", is it correct?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

No, it is not supported. In any distributed environment, search roles must be separated from indexer roles. In a clustered environment, the cluster master cannot be on the same machine than a cluster peer.
You need at least one search head, one cluster master and two indexer peer nodes to deploy a valid cluster.
Please study this page carefully; it states

Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer. Under certain limited circumstances, however, the master instance can handle a few other lightweight functions. See "Additional roles for the master node".

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...