The name of each search head and search peer is determined by its serverName attribute, specified in server.conf. The serverName attribute defaults to the server's machine name.

In distributed search, all search heads and search peers in the group must have unique names. The serverName has three specific uses in distributed search:

• For authenticating search heads. When search peers are authenticating a search head, they look for the search head's key file in /etc/auth/distServerKeys/<searchhead_name>/trusted.pem.
• For identifying search peers in search queries.serverName is the value of the splunk_server field that you specify when you want to query a specific node. See Search across one or more distributed search peers in the Search manual.
• For identifying search peers in search results.serverName gets reported back in the splunk_server field.
  Note:

  Note:serverName is not used when adding search peers to a search head. In that case, you identify the search peers through their domain names or IP addresses.

The only reason to change serverName is if you have multiple instances of Splunk Enterprise residing on a single machine, and they're participating in the same distributed search group. In that case, you'll need to change serverName to distinguish them.