Open in app

Sign in

Write

Sign in

Steps to Create Search Head Cluster in Splunk

Ashvin Pandey
2 min readApr 13, 2021

--

In this blog we will be working to implement search head clustering in splunk, keep following the steps to add new index in a cluster.

  1. Create the Deployer: -
    Create a one app which has a server.conf in its local directory which have pass4SymmKey under the shclustering stanza.
    /opt/splunk/etc/system/local/server.conf.
    pass4SYmmkey = yourkey

Note: Replace yourkey with your plaintext key.

2. Initialize cluster Members:-

Run the below command: -
$Splunk init shcluster-config -auth : -mgmt_uri : -replication_port -replication_factor -conf_deploy_fetch_url : -secret -shcluster_label

Example:-
$/opt/splunk/bin/splunk init shcluster-config -mgmt_uri https://<your_site>:8089 -replication_port 9887 -replication_factor 2 -conf_deploy_fetch_url https://<your_site>:8089 -secret 1!l1x1!!1x1x11X1x1x!X@x1x1

Repeat it for all Search heads (including Captain)
Restart the servers.

Note: Now, at this point, each SH you ran above knows who is the deployer for them and the key to authenticate with.

3. Make anyone Search Head as Captain:-

Run the below command:-
$splunk bootstrap shcluster-captain -servers_list “:, :,…” -auth :

Example:-
$ /opt/splunk/bin/splunk bootstrap shcluster-captain -servers_list https://<your_site>:8089,https://<your_site>:8089,https://<your_site>:8089

Restart Splunk in Captain.

Note: This step is required only for search head cluster. you can omit this step if you are not setting up SHC.

4. Check SH cluster Status:-

To check the overall status of your search head cluster, run this command from any of the members:-

Example:-
$/splunk/bin/splunk show shcluster-status

5. Apply Bundle through Deployer:-

To apply Bundle to search head cluster member, run the below command on deployer.

Example:-
/opt/splunk/bin/splunk apply shcluster-bundle -target https://<your_site>:8089

6. Stanza looks like this in server.conf

[shclustering]
disabled = 0
pass4SymmKey = $1$xxxx+X11xXX1xxXX1Xxx1x1xX1xxxx1XXxx=
conf_deploy_fetch_url = https://<your_site>:8089
mgmt_uri = https://<your_site>:8089
replication_factor = 2
id = 11XX11XX-XXXX-1XX1–1XX1–11XXXXXXXXXX

If you are still facing issue regarding this topic Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow our more splunk blogs on Avotrix, happy Splunking >😉

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Splunk
Splunk Sh
Cluster

--

--

Ashvin Pandey
Ashvin Pandey

Written by Ashvin Pandey

2 Followers
0 Following

😊 Humanity is the best religion | 🎓 Computer Engineer | 💼 Splunk> 🌐 Blogger | 📹 Youtuber | 🎂 Republic Day |💪 Stay Fit Stay Happy | web- ashvinpandey.com

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech