Splunk Search

How to add search peers in a search head cluster?

Builder

Is there a trick to adding search peers with a search head cluster? I have to add 20 new indexers very soon and I don't want to have to goto each SH GUI over and over. Assuming there is a script somewhere I should be running?

0 Karma

Legend

You could do this:

  1. Create a new app on the deployer. In the local directory of the app, create a file names distsearch.conf
  2. In distsearch.conf, list all the search peers (including the existing ones)
  3. Use the deployer to distribute the app to the search heads.

Here is some info on creating/editing distsearch.conf

Influencer

(facepalm) I wish they put that in the documentation 🙂

0 Karma

Builder

Hey yes, the manual key exchange is what I am trying to avoid. Assuming there is a script or something that we should be using?

Distribute the key files
If you add search peers via Splunk Web or the CLI, Splunk Enterprise automatically configures authentication. However, if you add peers by editing distsearch.conf, you must distribute the key files manually. After adding the search peers and restarting the search head, as described above:

  1. Copy the file $SPLUNK_HOME/etc/auth/distServerKeys/trusted.pem from the search head to $SPLUNK_HOME/etc/auth/distServerKeys//trusted.pem on each search peer.

The is the search head's serverName, specified in server.conf.

  1. Restart each search peer.
0 Karma