Splunk Search

How to disable one search peer in cluster?

TISKAR
Builder

Hello, Splunkers:

I have a Cluster that contains 3 indexers and one search head.

I want the search head to communicate with two indexers, is there a way to do that (disable communication with the third)?

I tried to disable and delete using Settings/ Distributed search / Search peers =====> But it displays the error

Error occurred attempting to disable IP:8089: Can not disable peer = https: //ip: 8089. This peer is a part of a cluster.

Can You help, please?

Regards 😉

0 Karma

woodcock
Esteemed Legend

You are using the indexer discovery feature. Disabled this feature and peer manually to only the indexers that you desire to search. Beware that your request makes no sense to me and is guaranteed to give you incomplete/partial search results.

0 Karma

jnudell_2
Builder

Hi @TISKAR ,

Why would you want to do this? If you excluded one search peer from your search head, you would always receive incomplete search results.

0 Karma

VatsalJagani
Champion

Hello @TISKAR,

You have added that search head as part of the cluster as a search head node. Instead, if you want limited access to search peers, you can just use distributed search and manually add search peers' IPs.
But, just for the clarification, if you don't know the configuration of the cluster properly then this might give you incomplete data.

Hope this helps!!!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...