Community:How to add a search head to your pool
From Splunk Wiki
This document is for pre-4.2 Splunk. After 4.2 is released, we introduced a search head pooling. For more detail, please visit our online document.
This page details how to add an additional search head to your existing distributed deployment. These instructions assume that you are a qualified Splunk administrator and have previously deployed Splunk instances. In this exercise, we will assume we have many indexers and two search heads. For reference purposes, we will call each of N indexers indexer01, indexer02, and similar. The search heads will be referenced as searcher01 and searcher02. The existing example deployment consists of N indexers, with searcher01 searching the N indexers.
- Install Splunk on the search head (searcher02)
- To leverage similar password capabilities, distribute the same splunk.secret file and the same ssl password key.
- Copy the opt/splunk/etc/auth/splunk.secret file from searcher01 to the same location on searcher02
- Copy the sslKeysfilePassword parameter in the [sslConfig] stanza of the /opt/splunk/etc/system/local/server.conf file of searcher01 to searcher02
- Distribute the authentication token from the search head to each indexer
- Copy the /opt/splunk/etc/auth/distServerKeys/trusted.pem file from searcher02 to /opt/splunk/etc/auth/distServerKeys/searcher02/trusted.pem on each indexer
- As an alternative, you could use the UI to do this which will also add them to the local distributed configuration (distsearch.conf)
- Copy the relevant configuration files
- To retain similar user configuration, copy the relevant user files
- $SPLUNK_HOME/etc/users (copy the whole directory, as this retains the user data)
- To retain similar functionality within each app (search), copy the respective /local configuration
- To retain similar system level functionality, copy other system files from searcher01 to searcher02 EXCEPT for the following. You should instead MANUALLY add the configurations via edits. This is because the server/hostnames will be different.