Splunk Enterprise

how to configure "mode" of server.conf in multiple site cluster

danielwan
Explorer

I am going to create a multiple site cluster with Splunk 6.5 enterprise.

According to Splunk document of "Configure multisite indexer clusters with server.conf". the "mode" under "[clustering]" section is supposed to be either "master"(for master indexer), "slave"(for peer-node indexer), or "searchhead"(for search head)

I would like each Splunk instance host in my cluster can do both search and indexing, what is the mode value I shall configure it?

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

Your indexer cluster peer nodes are "slave", the machine you use as a cluster master will be "master" and the search head(s) you will use to search across your cluster will be "searchhead", which will get its list of search peers from the cluster master periodically.
Your cluster peers are search peers by definition, the search head will interact with each peer when users run searches on the search head. Your users MUST NOT have access to the UI of the cluster peers directly for searching; everything search will be coordinated by the SH and CM.

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Your indexer cluster peer nodes are "slave", the machine you use as a cluster master will be "master" and the search head(s) you will use to search across your cluster will be "searchhead", which will get its list of search peers from the cluster master periodically.
Your cluster peers are search peers by definition, the search head will interact with each peer when users run searches on the search head. Your users MUST NOT have access to the UI of the cluster peers directly for searching; everything search will be coordinated by the SH and CM.

0 Karma

danielwan
Explorer

I want each of my Splunk instance to play both search head and a indexer role (either master or slave ) on the same box in the multiple site cluster, is is supported?
I think your point is my master node (master+search head) shall use "master", slave node (slave+search head) shall go with "slave". the node as search peer only without any indexer functionality will use "searchhead", is it correct?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

No, it is not supported. In any distributed environment, search roles must be separated from indexer roles. In a clustered environment, the cluster master cannot be on the same machine than a cluster peer.
You need at least one search head, one cluster master and two indexer peer nodes to deploy a valid cluster.
Please study this page carefully; it states

Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer. Under certain limited circumstances, however, the master instance can handle a few other lightweight functions. See "Additional roles for the master node".

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...