How to add search peers in a search head cluster?

daniel333 · ‎12-28-2015

Is there a trick to adding search peers with a search head cluster? I have to add 20 new indexers very soon and I don't want to have to goto each SH GUI over and over. Assuming there is a script somewhere I should be running?

lguinn2 · ‎12-28-2015

You could do this:

Create a new app on the deployer. In the local directory of the app, create a file names distsearch.conf
In distsearch.conf, list all the search peers (including the existing ones)
Use the deployer to distribute the app to the search heads.

Here is some info on creating/editing distsearch.conf

jplumsdaine22 · ‎12-29-2015

(facepalm) I wish they put that in the documentation 🙂

daniel333 · ‎12-29-2015

Hey yes, the manual key exchange is what I am trying to avoid. Assuming there is a script or something that we should be using?

Distribute the key files
If you add search peers via Splunk Web or the CLI, Splunk Enterprise automatically configures authentication. However, if you add peers by editing distsearch.conf, you must distribute the key files manually. After adding the search peers and restarting the search head, as described above:

Copy the file $SPLUNK_HOME/etc/auth/distServerKeys/trusted.pem from the search head to $SPLUNK_HOME/etc/auth/distServerKeys//trusted.pem on each search peer.

The is the search head's serverName, specified in server.conf.

Restart each search peer.

How to add search peers in a search head cluster?

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control