Splunk Search

Totally Disable Search head Clustering

pgadhari
Builder

I have 2 nodes in my Search Head cluster and want to disable the Search head Clustering fully. I have a deployer also, which I used during configuration of Search Head Cluster.

In the documentations, I can see only "Remove cluster member" but there is no documentation on how to disable and remove Search Head Clustering fully. Please help on how to disable and remove Search head cluster ?

0 Karma
1 Solution

jawaharas
Motivator

Splunk recommends at least 3 instances to create search head cluster. Run below commands in each search-head members to disable search-head clustering.

  1. Remove the member:
    splunk remove shcluster-member

  2. Disable the member:
    splunk disable shcluster-config

  3. Clean the KVStore:
    splunk clean kvstore --cluster

Reference:
https://docs.splunk.com/Documentation/Splunk/6.5.1/DistSearch/Removeaclustermember

View solution in original post

0 Karma

chinmoya
Communicator

You would have a configuration in your servers.conf.
Ideally, this should be in your system/local. But can differ depending on your configuration.

The servers.conf will have a stanza [shclustering].

Remove all configuration under this stanza on all your SH.
Do a restart.
Your SH clustering will be removed.

jawaharas
Motivator

Splunk recommends at least 3 instances to create search head cluster. Run below commands in each search-head members to disable search-head clustering.

  1. Remove the member:
    splunk remove shcluster-member

  2. Disable the member:
    splunk disable shcluster-config

  3. Clean the KVStore:
    splunk clean kvstore --cluster

Reference:
https://docs.splunk.com/Documentation/Splunk/6.5.1/DistSearch/Removeaclustermember

0 Karma

pgadhari
Builder

I have 2 nodes in my search head cluster, do I need to do above steps on both the nodes one by one ?

0 Karma

jawaharas
Motivator

Yes. Execute these commands on each search-head members (one by one).

0 Karma

pgadhari
Builder

ok got it. Thanks. I will revert back.

0 Karma

pgadhari
Builder

I have tried that command but I am getting issues, when I run disable member command on the captain, the command is getting stuck and doing nothing ? In my case I have 2 nodes in a cluster the member node was removed successfully.

But running that command on captain is not working, as I think it is trying to find the another captain to remove that member. What can be done in this case ?

Should I comment "clustering" stanza on Captain and take a restart ? Please advise ?

0 Karma

jawaharas
Motivator

Update 'disabled' key to 1 in 'shclustering' stanza of your 'server.conf' file and restart the Splunk instance.

[shclustering]
disabled = 1

pgadhari
Builder

But I think this will only disable one of the member of the cluster. Whether it will totally disable Search head clustering ? Also, whether I have to do any steps on Deployer to disable any services on it ? Please advise ?

0 Karma

jawaharas
Motivator

I have updated my answer with steps. Kindly accept the answer if it's helpful.

0 Karma

pgadhari
Builder

sure I will try this out and revert back. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...