Migration of the Master Node in an Index Cluster Environment

We might need to replace the Master-Node for either of these reasons

1.  The Node Fails

2.  We need to move the Master to a Different Machine or Site .

For Example :  We will consider the following :

OLD  :  XX.XX.XX.XX           ( It is an IP Address of the OLD Master Node )

NEW : YY.YY.YY.YY            ( It is an IP Address of the NEW Master Node in which we are 
                                                      going to Migrate our OLD Master Node )


*** The NEW does not use the Same IP address  or Management Port as the OLD one  ***

1.  Go to OLD ,

***   Stop the Splunk  ***

#   ssh root@XX.XX.XX.XX
#  cd /opt/splunk/bin
# ./splunk stop

2.  Go to NEW

***   Install Splunk and Stop it  ***

#  ssh root@YY.YY.YY.YY
#  cd /opt/splunk/bin
#  ./splunk start –accept-license
# ./splunk stop 

3.  Go to NEW

#  ssh root@YY,YY.YY.YY
#  cd /opt/splunk/etc/system/local/
 Copy the ‘ sslKeysfilePassword=’ to the notepad from ‘server.conf’ file

4.   Go to OLD 

You can also know about :  DEST_KEY=MetaData:Host

****  Copy the server.conf file from OLD to NEW  ***

#  ssh root@XX.XX.XX.XX
#  cd /opt/splunk/etc/system/local
# scp server.conf root@YY.YY.YY.YY:/opt/splunk/etc/system/local/.

***   Copy the master-apps directory from OLD to NEW  ***

#  cd /opt/splunk/etc/
#  scp -r master-apps root@YY.YY.YY.YY:/opt/splunk/etc/.

5.  Go to NEW

# ssh root@YY.YY.YY.YY
# cd /opt/splunk/etc/system/local
# vi server.conf

Remove the line with ‘ sslKeysfilePassword=.****’  and  Copy from
your notepad and paste it hear :-  ‘ sslKeysfilePassword=’ 
Replace the value of a ‘ ServerName’ with YY.YY.YY.YY

#  /opt/splunk/bin/splunk start


****  Now, we have to update the ‘master_uri’ settings on all the peers and search heads to point the (NEW) Master’s IP address and the Management Port  ****

1. Go to any one INDEXER,

#  ssh root@Indexer_IP
#  cd /opt/splunk/etc/system/local
#  vi server.conf

 Where ever you find ‘master_uri’ , replace its value with     https://YY.YY.YY.YY:8089

#  /opt/splunk/bin/splunk restart

Note : Perform the above actions for all the Indexers in the Cluster

2.   Go to any one SEARCH HEAD,

#  ssh root@SearchHead_IP
#  cd /opt/splunk/etc/system/local
#  vi server.conf 

 Where ever you find ‘master_uri’ , replace its value with    https://YY.YY.YY.YY:8089   

 Replace the value of ‘conf_deploy_fetch_url’  with        https://YY.YY.YY.YY:8089

#  /opt/splunk/bin/splunk restart

Note : Perform the above actions for all the Search Heads in the Cluster

You can also know about :  Load-balancing Splunk Search heads

Now your Master Node in the Cluster Environment has been successfully Migrated !!

Hope you are now comfortable in : Migration of the Master Node in an 
Index Cluster Environment



  1. First of all congratulation on the new site.It is really amazing following someone having A GREAT BLOG! This blogs are really helpful those who started carrier in Splunk area. I am sure in future this blogs will more interesting and knowledgeable.
    Wonderful thoughts and Great overview examples on blogging.
    Great job Abhay!
    Have a nice day………keep on blogging 🙂

  2. Thanks Palash, Stay tuned and touch to get more topics on Splunk which would definetly help splunker to do the best in their field.

  3. awesome piece of information, I had come to know about your blog from my friend vimal, mumbai,i have read atleast 3 posts of yours by now, and let me tell you, your blog gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a million once again, Regards

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.