I have a Cluster which has 3 Indexers and a Search Head on the east coast, I also have a single stand alone server (Indexer & Search Head) on the West Coast.
I was able to set up on the West coast server the three Indexers as distributed search peers, and able to search all three of them for any of the indexes.
But I don't have the ability to configure the West Coast Indexer on the East Coast Search Head that is part of the cluster.
How or what is the right way to do this?
When you're using a clustered setup, the search head pretty much ignores
distsearch.conf, the traditional means of specifying search peers. It can only contact indexers that are part of a cluster. A lot of people, when migrating from a traditional distributed search set up, to one involving clusters, employ a holdover "cluster of one". This is a cluster master, specifying a replication factor of one (1) and a search factor of one (1), with only the standalone indexers as peers. This means that the indexers function as they used to, while, satisfying the "must be clustered" requirement for the search head to search across all of them.
To employ this strategy, you would need to create a "cluster of one" on the West Coast, and direct the East Coast SH to contact that cluster master. The configuration in the
server.conf of the East Coast SH would look like this:
[clustering] mode = searchhead master_uri = clustermaster:west-coast.cluster.master:port, clustermaster:east-coast.cluster.master:port
Great answer. I did not think of that, given you would logically consider a cluster to have a minimum of 2 indexers.
What I ended up doing on the East Coast was removing the Search Head from the Cluster, and configuring the SH using the distsearch.conf file to manually point to my 3 East coast cluster indexers, and the single West coast stand alone indexer.
Do you see anything wrong with this method?
In Splunk 6 you can have a SH search both clustered peers and one-off indexers.
See here for more info