Security

Does anyone know how and if I should remove unneeded server roles?

BlueSocket
Communicator

Dear All,

I have a 5-server infrastructure set up, with one Search Head, Two Clustered Indexers, A Cluster Manager/License Manager/Deployment Server and a Heavy Forwarder.

I have looked at the Distributed Management Console and found that the various servers are still configured with roles other than ones that they were configured to have, for instance, the Search Head has the Indexer role, the Indexer has the Search Head role, and the Heavy Forwarder is a Search Head and an Indexer.

It seems wasteful to me to have extra roles and possibly extra processes on the servers. I also need to be able to repeat this via CLI.

Should I disable the unneeded roles? Also, I have been looking around for CLI commands to remove the roles and can'tr find anything. Does anyone know these?

Kindest regards,

BlueSocket

masonmorales
Influencer

You can, but you won't really save that much in terms of system resources IMO. If no one is running searches on your indexer or heavy forwarder, simply running Splunk Web is not going to be adding much load on the system.

Are you forwarding all internal logs from your search heads to your indexers? If not, your search head is also an indexer. Same for your Heavy Forwarder. If you haven't disabled Splunk Web on your Indexers and Heavy Forwarders, then they are also search heads, since they can search their own data.

As far as configuring explicit roles in a cluster, the only configuration I know of is in server.conf, in the clustering stanza:

[clustering]
mode = [master|slave|searchhead|disabled]
    * Sets operational mode for this cluster node.
    * Only one master may exist per cluster.
    * Defaults to disabled.

http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

To disable Splunk Web from CLI, you can do: splunk disable webserver

For help with CLI: splunk help

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...