topic Re: Search Head on Splunk Cloud in Deployment Architecture

Search Head on Splunk Cloud

cpraz_ord — Thu, 04 Aug 2016 02:44:41 GMT

Hi...I believe Splunk Cloud has 3 indexers, what about Search Heads? If there multiple Search Heads, does the ES app get propagated across SH clusters & Index clusters?

Re: Search Head on Splunk Cloud

somesoni2 — Thu, 04 Aug 2016 03:14:11 GMT

Take a look at these posts

https://answers.splunk.com/answers/331435/search-head-clustering-enterprise-security-and-pci.html
https://answers.splunk.com/answers/231809/how-to-deploy-the-splunk-app-for-enterprise-securi.html

Re: Search Head on Splunk Cloud

pgreer_splunk — Fri, 05 Aug 2016 20:51:15 GMT

A base build is 1-3 (being one search head and 3x indexers). Of course, each build is sized to a customer's initial target ingest rate, data retention, etc.

If a customer is large enough (enough concurrent users) a search head might initially be deployed. Otherwise they are single search heads.

You are correct, if there is a premium app purchased (such as ES or ITSI) that warrants it's own search head, then a second (or more) search head will be deployed. Typically a base search head is at a canonical name https://.splunkcloud.com where the additional ES search head would reside at https://es-.splunkcloud.com.

Again, that being said, if the size of the customer, concurrent users, search load, etc. - then a search head cluster might be deployed (for the ad-hoc searching purposes or independently for ES).

As for propagation across search heads and indexers, it depends on the app. If the app requires indexing time props/transforms then there will be configuration pieces on the indexers. If the app only has search time props/transforms then it may only reside on the search head (or search heads if in a search head cluster).

Re: Search Head on Splunk Cloud

KKuser — Fri, 21 Feb 2025 14:29:11 GMT

I see an architecture online for Splunk Cloud. The Splunk Cloud has Search Tier[Search Head(core), Search Head(Enterprise Security)], Indexing Tier(I see 3 indexers picture), Management Tier[Cluster Manager].

Is this a valid Splunk Cloud architecture? If at all there is a search head cluster, will it be mentioned here in the architecture diagram? I'm trying to figure out if there are multiple instances of Splunk Cloud, can I know if knowledge objects present in 1 instance can be seen in other instance as well.

Re: Search Head on Splunk Cloud

gcusello — Fri, 21 Feb 2025 14:58:11 GMT

Hi @KKuser ,

at first, don't attach a new question to a so old one (nine years ago!) even if on the same topic because it's difficoult to have an answer, it's always better to create a new question.

Anyway, if you need information about a validated Splunk architecture for an on premise or hybrid installation see at https://docs.splunk.com/Documentation/SVA/current/Architectures/About

Anyway, in Splunk Cloud you only see two machines: one Search Head for ES and one Search Head for the other apps.

You don't know if there's a Search Head Cluster, probably not also because you see only two machines and SH Cluster need three machines.

In addition you can upload apps and this operation isn't possible on SH Clusters.

In addition, the Indexer layer ss not visible for you even if you see three Indexers and you cannot see the Cluster Manager.

Surely there are many instance of Splunk Cloud in different AWS machines.

For more information see at https://docs.splunk.com/Documentation/SVA/current/Architectures/SCPExperience

Ciao.

Giuseppe