Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do we need to set up same instances on every Indexer for Distributed search?

Shridhar7Hitesh
Explorer
‎11-20-2017 02:39 AM

Let' s say 2 servers behaving as Indexers which have Splunk Enterprise already deployed on them.

There is one Forwarder and 1 search Head and 2 Server behaving as Indexer and 1 Indexer already so total 3 indexers.

Why do we need to set up same instances on every Indexer for Distributed search?

1.) Why do I need to make same instance while Search Head will search from all three (if not specified a particular Indexer.)

2.) What is the benefit of Data load Balancing in this scenario ( How data Load will help Search head) ?

Please reply and help me clearing my doubts.

Thanks,
Hitesh.

Tags (1)
0 Karma
Reply

Shridhar7Hitesh
Explorer
‎11-21-2017 03:43 AM

Hi Giuseppe,

For distributed search I can have different Indexers from which search head will get the desired results. Now these 3 indexers can have different data and different instances.

My question is why it is important to make same instances on the all of the indexers?
{I didn't understand the importance.}

Load Balancing I understood clearly. Thanks for that.

Hitesh Shridhar.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 02:49 AM

Hi Shridhar7Hitesh,
what do you mean with "same instances on every Indexer for Distributed search" ? you can have different indexes in your indexers though it's better to have all the indexes on all Indexers for a better load distribution (see item 2).

Data Load Balancing has two main advantages:

  • load distribution between different indexes so if there is an overload of ingestion two o three indexers can load quickly a large mass of logs than one (remember that if an indexer is overloaded both ingestion and searches are queued !
  • Fail over: if one indexer is down the others can ingest logs.

Bye.
Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2017 03:48 AM

Hi Shridhar7Hitesh,
Sorry if I repeat my question but I don't understand:
what do you mean with "same instances on every Indexer for Distributed search" ?
are you speaking of Splunk version or of Indexes?
Bye.
Giuseppe

0 Karma
Reply

Shridhar7Hitesh
Explorer
‎11-21-2017 04:24 AM

Hi Giuseppe,

Is it possible that 1 server is *NIX ( Splunk Enterprise) deployed as Indexer and 1 server has windows (Splunk Enterprise) deployed as Indexer and then both can communicate properly being search peers?

Actually I am also not sure, what doe "same instances mean". I am trying to find that as well.

Thanks,
Hitesh

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2017 04:35 AM

Hi Shridhar7Hitesh,
I never tested this architecture!
In theory it should run, but it isn't a good configuration because you have to use different settings between your two indexers (e.g. paths in indexes.conf) and it's difficoult to manage.
When you use a cluster, you're even forced to use the same Splunk version!

I usually use only Unix servers as Indexers, I use Windows only on my test machine.

I suggest to use the same operative system on all your infrastructure, at most I used different versions of the same OS (Red Hat 6.4 and 6.6 or 7.0)

About Splunk versions, at most you can use different versions between Search Heads and Indexers but the same version in the same application level.

Bye.
Giuseppe

Reply

Shridhar7Hitesh
Explorer
‎11-22-2017 01:20 AM

That makes sense. But I really wonder that how much difficulty it might contain to use.
Thanks for the answer and clarification.

Cheers,
Hitesh Shridhar.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...