Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Adding a Search Head? Help

MarMoh
Path Finder
‎05-14-2013 09:26 AM

Hi All,

Currently I have a standalone splunk (Enterprise). Since the data volume is growing so fast we decided to add a VM as a dedicated Search Head and use the existing one as an indexer, but I have too many questions in order to proceed:
1-is it even a good idea to use VM as a dedicated search head?
2-in the documents here(http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Summaryofperformancerecommendations) number of search users are too low. Data volume wise 1 head would be enough for us but number of search users is only 4! right now too many people are using the current Splunk at the same time!
3-how much work does it take to add another search head in future? Should I make a pool? How is it going to impact the end users when we are doing it?
4-How end users can access the Splunk if we have multiple search heads or indexers. Right now we just access through https://splunk.
We are so concerned about scalability and the possible impact if we need to change the configuration in future. We'd rather configure 2 search heads now rather than next year if it impacts our end users!

Regards,
M

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-14-2013 11:12 AM

Yes, a SH is a good candidate to run in a VM. And it never hurts to build out a distributed environment to handle current needs and future growth. Reference from a previous answer here. Typically you wouldn't move to a stand alone search head until you had at least two indexers though. I would recommend talking to a Splunk sales team that can put you in touch with our Professional services folks who could implement this for you and show you how to scale it in the future.

Adding another search head in the future is very straight forward since Splunk has a flexible architecture. The same applies to indexers as well. (doc link)

Search head pooling may be beneficial depending on your requirements. It certainly allows you to share the configurations and avoid replicating data across your indexers for each new search.

You will most likely want to front end multiple search heads with a load balancer and then you can send all users to one place and SH pooling takes care of having all users see what is expected.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-14-2013 11:12 AM

Yes, a SH is a good candidate to run in a VM. And it never hurts to build out a distributed environment to handle current needs and future growth. Reference from a previous answer here. Typically you wouldn't move to a stand alone search head until you had at least two indexers though. I would recommend talking to a Splunk sales team that can put you in touch with our Professional services folks who could implement this for you and show you how to scale it in the future.

Adding another search head in the future is very straight forward since Splunk has a flexible architecture. The same applies to indexers as well. (doc link)

Search head pooling may be beneficial depending on your requirements. It certainly allows you to share the configurations and avoid replicating data across your indexers for each new search.

You will most likely want to front end multiple search heads with a load balancer and then you can send all users to one place and SH pooling takes care of having all users see what is expected.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...