Solved: In a Splunk cluster, is it good practice to have i...

neltonk · ‎06-20-2018

Hi, I have just installed a Splunk cluster. My configuration is supposed to be 1 Master(also the licensing master) , 3 peers, 1 search head.
However after installation in the cluster dashboard on the master, I see two search heads.

In the search heads tab in the clustering dashboard of the master, I see two search heads listed. I dont see any option to remove the master node.

The master node has automatically assigned it self as search head? is this correct? if no, how do I correct this situation?

The Search Head dashboard, I see the cluster Master listed correctly. Under Search peers in Distributed Search, I see the 3 indexer peers listed as search peers. the master node is not listed as search peer. It does not reflect the master node dashboard. is it a good practice to have indexer peers to be as search peers? I am confused here and need some help.

I am new to splunk and have not attended the clustering training yet, so please I need help.

DalJeanis · ‎06-20-2018

Per Nadine, one of my favorite Splunkers, the Cluster Master is always a search head. That does not mean that you let people search from it, it just means that one of its functions is gathering data from the other boxes. Presumably, you have also established the Monitoring Console on the same box.

Here is some background terminology, with links ...

1) A search head that is not an indexer itself is called a "dedicated search head".

https://docs.splunk.com/Splexicon:Searchhead

2) Indexers in a cluster are referred to as "peers" or "peer nodes" or "search peers".

https://docs.splunk.com/Splexicon:Searchpeer
https://docs.splunk.com/Splexicon:Peernode

3) The master node is not an indexer, so it is not a search peer.

https://docs.splunk.com/Splexicon:Masternode

4) All of the above, including search heads, are the different types of "indexer cluster nodes".

https://docs.splunk.com/Splexicon:Clusternode

View solution in original post

DalJeanis · ‎06-20-2018

Per Nadine, one of my favorite Splunkers, the Cluster Master is always a search head. That does not mean that you let people search from it, it just means that one of its functions is gathering data from the other boxes. Presumably, you have also established the Monitoring Console on the same box.

Here is some background terminology, with links ...

1) A search head that is not an indexer itself is called a "dedicated search head".

https://docs.splunk.com/Splexicon:Searchhead

2) Indexers in a cluster are referred to as "peers" or "peer nodes" or "search peers".

https://docs.splunk.com/Splexicon:Searchpeer
https://docs.splunk.com/Splexicon:Peernode

3) The master node is not an indexer, so it is not a search peer.

https://docs.splunk.com/Splexicon:Masternode

4) All of the above, including search heads, are the different types of "indexer cluster nodes".

https://docs.splunk.com/Splexicon:Clusternode

nnmiller · ‎06-20-2018

This is normal behavior. An index cluster master is also a search head -- that's how it populates all the cluster master's "indexer clustering" information. A standalone License Master, if added to the monitoring console would also have the role of "Search Head", since that's where the license dashboards are generated.

neltonk · ‎06-20-2018

Thanks a lot for the quick response

DalJeanis · ‎06-20-2018

Don't panic. We'll help you get yourself straightened out.

neltonk · ‎06-20-2018

Thanks a lot for the quick response. I can now proceed with the next steps...

In a Splunk cluster, is it good practice to have indexer peers to be as search peers?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?