Kindly tear down whole search head clustering setup.

Edit server.conf in $SPLUNK_HOME/etc/system/local and remove [shclustering] and [replication_port] stanza from each search head and restart them.

Also remove [shclustering] stanza from server.conf on deployer in $SPLUNK_HOME/etc/system/local and restart.

In my case I first followed above steps and then did whole clustering setup and it worked.

don't forget to restart search heads and deployer after tearing the setup.

I hope this helps.

adding the -auth argument doesn't make a difference. It just prevents you from getting prompted for credentials.

I ran the following on each of the 3 search heads (splunk1,2,3) after installing splunk, configuring them as License slaves, and changing the admin passwords.

/opt/splunk/bin/splunk init shcluster-config -mgmt_uri https://splunkdeployer:8089 -replication_port 9200 -secret XXXXX

Then I ran this on one of the search heads:

/opt/splunk/bin/splunk bootstrap shcluster-captain -servers_list https://splunk1.acml.com:8089,https://splunk2.acml.com:8089,https://splunk3.acml.com:8089

and got the following...

In handler 'shclustermemberconsensus': Failed to Set Configuration. One potential is captain could not hear back from all the nodes in a timeout period. Ensure alladded nodes are up, and increase the raft timeout. If all nodes are up and runningat splunkd.log for appendEntries errors due to mgmt_uri mismatch