How to Create

Indexer Cluster
using CLI
in Splunk
under 10 mins
How to Create Indexer Cluster in Splunk under 10 mins Splunk Mania

Contents
Prerequisites ..............................................................................................................3
Step-1: Enable Cluster Master Node ...........................................................................3
Step-2: Enable Indexer-1 Node ...................................................................................5
Step-3: Enable Indexer-2 Node ...................................................................................5
Step-4: Enable Indexer-3 Node ...................................................................................5
References ..................................................................................................................7
Contact: ......................................................................................................................7

@splunkmania #splunkmania
2
How to Create Indexer Cluster in Splunk under 10 mins Splunk Mania

Prerequisites
• Make sure License Master is up running
• Admin access to Splunk Web/UI, SSH Access (Backend Access) to all the
instances.
• Each cluster node (master, peer, or search head) must reside on a separate
Splunk Enterprise instance.
• Each node instance must run the same Splunk Enterprise version.
• All nodes must be connected over a network.
• Get the IP Address (or) Host Name (or) FQDN for all the nodes

Note: This Document contains the steps to create Indexer Cluster using Splunk CLI
alone.

Step-1: Enable Cluster Master Node

• SSH to the backend of Splunk Cluster Master node
• Switch user to “Splunk” using below command

sudo su - splunk

• Execute below CLI command in Cluster master instance

/opt/splunk/bin/splunk edit cluster-config -mode manager -replication_factor <repli

cation_factor> -search_factor <search_factor> -secret <indexer_cluster_secret_key>
-cluster_label <indexer_cluster_label>

e.g.:

/opt/splunk/bin/splunk edit cluster-config -mode manager -replication_factor 3 -sea

rch_factor 2 -secret SecretKeyforIndexerCluster12!@ -cluster_label IndexerClusterAl
pha

• Add below content to /opt/splunk/etc/system/server.conf (if file is not there,

create it and add)

@splunkmania #splunkmania
3
How to Create Indexer Cluster in Splunk under 10 mins Splunk Mania

[indexer_discovery]
pass4SymmKey = <indexer_discovery_secret_key>
indexerWeightByDiskCapacity = true

e.g.:

[indexer_discovery]
pass4SymmKey = SecretKeyForIndexerDiscovery12!@
indexerWeightByDiskCapacity = true

• Restart the cluster master using below command

/opt/splunk/bin/splunk restart

• Once it’s restarted, login to UI. The Indexer Clustering Page will be enabled as
shown below

At this point, our Cluster Master Node is up and running…!!

• Enable maintenance mode using below command (this is to avoid bucket fixing
up during the indexer cluster creation)

/opt/splunk/bin/splunk enable maintenance-mode

• To check maintenance mode status. The returned value of 1 indicates that the
maintenance mode is on. Value 0 indicates that the maintenance mode is off.

/opt/splunk/bin/splunk show maintenance-mode

@splunkmania #splunkmania
4
How to Create Indexer Cluster in Splunk under 10 mins Splunk Mania

Step-2: Enable Indexer-1 Node

• SSH to the backend of Splunk Indexer-1 node
• Switch user to “Splunk” using below command

sudo su - splunk

• Execute below CLI command in Cluster master instance

/opt/splunk/bin/splunk edit cluster-config -mode peer -manager_uri https://<Cluster

_Master_Node_FQDN>:8089 -replication_port 9000 -secret <indexer_cluster_secret_key>

e.g.:

/opt/splunk/bin/splunk edit cluster-config -mode peer -manager_uri https://10.128.7

4.22:8089 -replication_port 9000 -secret SecretKeyforIndexerCluster12!@

• Restart the indexer-1 using below command

/opt/splunk/bin/splunk restart

• Once restarted, please login to UI. The Indexer Clustering Page will be having
error, as the complete cluster is not ready to meet replication factor yet.
• So, without worry, please proceed with other indexers/peers’ configuration

Step-3: Enable Indexer-2 Node

• SSH to the backend of Splunk Indexer-2 node
• Repeat above steps (Step-2) to enable Indexer-2 as Indexer Cluster Peer

Step-4: Enable Indexer-3 Node

• SSH to the backend of Splunk Indexer-3 node
• Repeat above steps (Step-2) to enable Indexer-3 as Indexer Cluster Peer

@splunkmania #splunkmania
5
How to Create Indexer Cluster in Splunk under 10 mins Splunk Mania

After enabling all 3 indexers, please SSH to Cluster master node,

Execute below command to get the detailed information on each peer in the cluster

/opt/splunk/bin/splunk list cluster-peers

To get information on the cluster configuration, run this command from any node

/opt/splunk/bin/splunk list cluster-config

That’s it… Indexer Cluster has been configured successfully in Splunk…!!

Happy Splunking…!!

Any help/support required on the Indexer Cluster, please contact Splunk Mania Team
using any one of the methods mentioned in next page of this document.

@splunkmania #splunkmania
6
How to Create Indexer Cluster in Splunk under 10 mins Splunk Mania

References
Indexer cluster deployment overview - Splunk Documentation

Contact:
WhatsApp: +919345372209
Email: [email protected]
LinkedIn: https://www.linkedin.com/company/splunk-mania
Facebook: https://www.facebook.com/SplunkMania
Instagram: https://www.instagram.com/splunkmania/
Slack: https://splunkmania.slack.com/
YouTube: https://www.youtube.com/channel/UCknGfjgEIGCzb8CE6e3X_3A
Website: Splunk Mania (splunk-mania.web.app)

@splunkmania #splunkmania
7