Deployment Architecture

Adding a Search Head? Help

MarMoh
Path Finder

Hi All,

Currently I have a standalone splunk (Enterprise). Since the data volume is growing so fast we decided to add a VM as a dedicated Search Head and use the existing one as an indexer, but I have too many questions in order to proceed:
1-is it even a good idea to use VM as a dedicated search head?
2-in the documents here(http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Summaryofperformancerecommendations) number of search users are too low. Data volume wise 1 head would be enough for us but number of search users is only 4! right now too many people are using the current Splunk at the same time!
3-how much work does it take to add another search head in future? Should I make a pool? How is it going to impact the end users when we are doing it?
4-How end users can access the Splunk if we have multiple search heads or indexers. Right now we just access through https://splunk.
We are so concerned about scalability and the possible impact if we need to change the configuration in future. We'd rather configure 2 search heads now rather than next year if it impacts our end users!

Regards,
M

0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Yes, a SH is a good candidate to run in a VM. And it never hurts to build out a distributed environment to handle current needs and future growth. Reference from a previous answer here. Typically you wouldn't move to a stand alone search head until you had at least two indexers though. I would recommend talking to a Splunk sales team that can put you in touch with our Professional services folks who could implement this for you and show you how to scale it in the future.

Adding another search head in the future is very straight forward since Splunk has a flexible architecture. The same applies to indexers as well. (doc link)

Search head pooling may be beneficial depending on your requirements. It certainly allows you to share the configurations and avoid replicating data across your indexers for each new search.

You will most likely want to front end multiple search heads with a load balancer and then you can send all users to one place and SH pooling takes care of having all users see what is expected.

View solution in original post

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Yes, a SH is a good candidate to run in a VM. And it never hurts to build out a distributed environment to handle current needs and future growth. Reference from a previous answer here. Typically you wouldn't move to a stand alone search head until you had at least two indexers though. I would recommend talking to a Splunk sales team that can put you in touch with our Professional services folks who could implement this for you and show you how to scale it in the future.

Adding another search head in the future is very straight forward since Splunk has a flexible architecture. The same applies to indexers as well. (doc link)

Search head pooling may be beneficial depending on your requirements. It certainly allows you to share the configurations and avoid replicating data across your indexers for each new search.

You will most likely want to front end multiple search heads with a load balancer and then you can send all users to one place and SH pooling takes care of having all users see what is expected.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...