Splunk Search

How to add search peers in a search head cluster?


Is there a trick to adding search peers with a search head cluster? I have to add 20 new indexers very soon and I don't want to have to goto each SH GUI over and over. Assuming there is a script somewhere I should be running?

0 Karma


You could do this:

  1. Create a new app on the deployer. In the local directory of the app, create a file names distsearch.conf
  2. In distsearch.conf, list all the search peers (including the existing ones)
  3. Use the deployer to distribute the app to the search heads.

Here is some info on creating/editing distsearch.conf


(facepalm) I wish they put that in the documentation 🙂

0 Karma


Hey yes, the manual key exchange is what I am trying to avoid. Assuming there is a script or something that we should be using?

Distribute the key files
If you add search peers via Splunk Web or the CLI, Splunk Enterprise automatically configures authentication. However, if you add peers by editing distsearch.conf, you must distribute the key files manually. After adding the search peers and restarting the search head, as described above:

  1. Copy the file $SPLUNK_HOME/etc/auth/distServerKeys/trusted.pem from the search head to $SPLUNK_HOME/etc/auth/distServerKeys//trusted.pem on each search peer.

The is the search head's serverName, specified in server.conf.

  1. Restart each search peer.
0 Karma
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...