topic Re: Why do we need to set up same instances on every Indexer for Distributed search? in Getting Data In

Why do we need to set up same instances on every Indexer for Distributed search?

Shridhar7Hitesh — Mon, 20 Nov 2017 10:39:57 GMT

Let' s say 2 servers behaving as Indexers which have Splunk Enterprise already deployed on them.

There is one Forwarder and 1 search Head and 2 Server behaving as Indexer and 1 Indexer already so total 3 indexers.

Why do we need to set up same instances on every Indexer for Distributed search?

1.) Why do I need to make same instance while Search Head will search from all three (if not specified a particular Indexer.)

2.) What is the benefit of Data load Balancing in this scenario ( How data Load will help Search head) ?

Please reply and help me clearing my doubts.

Thanks,
Hitesh.

Re: Why do we need to set up same instances on every Indexer for Distributed search?

gcusello — Mon, 20 Nov 2017 10:49:13 GMT

Hi Shridhar7Hitesh,
what do you mean with "same instances on every Indexer for Distributed search" ? you can have different indexes in your indexers though it's better to have all the indexes on all Indexers for a better load distribution (see item 2).

Data Load Balancing has two main advantages:

load distribution between different indexes so if there is an overload of ingestion two o three indexers can load quickly a large mass of logs than one (remember that if an indexer is overloaded both ingestion and searches are queued !
Fail over: if one indexer is down the others can ingest logs.

Bye.
Giuseppe

Re: Why do we need to set up same instances on every Indexer for Distributed search?

Shridhar7Hitesh — Tue, 21 Nov 2017 11:43:05 GMT

Hi Giuseppe,

For distributed search I can have different Indexers from which search head will get the desired results. Now these 3 indexers can have different data and different instances.

My question is why it is important to make same instances on the all of the indexers?
{I didn't understand the importance.}

Load Balancing I understood clearly. Thanks for that.

Hitesh Shridhar.

Re: Why do we need to set up same instances on every Indexer for Distributed search?

gcusello — Tue, 21 Nov 2017 11:48:47 GMT

Hi Shridhar7Hitesh,
Sorry if I repeat my question but I don't understand:
what do you mean with "same instances on every Indexer for Distributed search" ?
are you speaking of Splunk version or of Indexes?
Bye.
Giuseppe

Re: Why do we need to set up same instances on every Indexer for Distributed search?

Shridhar7Hitesh — Tue, 21 Nov 2017 12:24:08 GMT

Hi Giuseppe,

Is it possible that 1 server is *NIX ( Splunk Enterprise) deployed as Indexer and 1 server has windows (Splunk Enterprise) deployed as Indexer and then both can communicate properly being search peers?

Actually I am also not sure, what doe "same instances mean". I am trying to find that as well.

Thanks,
Hitesh

Re: Why do we need to set up same instances on every Indexer for Distributed search?

gcusello — Tue, 21 Nov 2017 12:35:35 GMT

Hi Shridhar7Hitesh,
I never tested this architecture!
In theory it should run, but it isn't a good configuration because you have to use different settings between your two indexers (e.g. paths in indexes.conf) and it's difficoult to manage.
When you use a cluster, you're even forced to use the same Splunk version!

I usually use only Unix servers as Indexers, I use Windows only on my test machine.

I suggest to use the same operative system on all your infrastructure, at most I used different versions of the same OS (Red Hat 6.4 and 6.6 or 7.0)

About Splunk versions, at most you can use different versions between Search Heads and Indexers but the same version in the same application level.

Bye.
Giuseppe

Re: Why do we need to set up same instances on every Indexer for Distributed search?

Shridhar7Hitesh — Wed, 22 Nov 2017 09:20:29 GMT

That makes sense. But I really wonder that how much difficulty it might contain to use.
Thanks for the answer and clarification.

Cheers,
Hitesh Shridhar.