Deployment Architecture

Adding a Search Head? Help

MarMoh
Path Finder

Hi All,

Currently I have a standalone splunk (Enterprise). Since the data volume is growing so fast we decided to add a VM as a dedicated Search Head and use the existing one as an indexer, but I have too many questions in order to proceed:
1-is it even a good idea to use VM as a dedicated search head?
2-in the documents here(http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Summaryofperformancerecommendations) number of search users are too low. Data volume wise 1 head would be enough for us but number of search users is only 4! right now too many people are using the current Splunk at the same time!
3-how much work does it take to add another search head in future? Should I make a pool? How is it going to impact the end users when we are doing it?
4-How end users can access the Splunk if we have multiple search heads or indexers. Right now we just access through https://splunk.
We are so concerned about scalability and the possible impact if we need to change the configuration in future. We'd rather configure 2 search heads now rather than next year if it impacts our end users!

Regards,
M

0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Yes, a SH is a good candidate to run in a VM. And it never hurts to build out a distributed environment to handle current needs and future growth. Reference from a previous answer here. Typically you wouldn't move to a stand alone search head until you had at least two indexers though. I would recommend talking to a Splunk sales team that can put you in touch with our Professional services folks who could implement this for you and show you how to scale it in the future.

Adding another search head in the future is very straight forward since Splunk has a flexible architecture. The same applies to indexers as well. (doc link)

Search head pooling may be beneficial depending on your requirements. It certainly allows you to share the configurations and avoid replicating data across your indexers for each new search.

You will most likely want to front end multiple search heads with a load balancer and then you can send all users to one place and SH pooling takes care of having all users see what is expected.

View solution in original post

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Yes, a SH is a good candidate to run in a VM. And it never hurts to build out a distributed environment to handle current needs and future growth. Reference from a previous answer here. Typically you wouldn't move to a stand alone search head until you had at least two indexers though. I would recommend talking to a Splunk sales team that can put you in touch with our Professional services folks who could implement this for you and show you how to scale it in the future.

Adding another search head in the future is very straight forward since Splunk has a flexible architecture. The same applies to indexers as well. (doc link)

Search head pooling may be beneficial depending on your requirements. It certainly allows you to share the configurations and avoid replicating data across your indexers for each new search.

You will most likely want to front end multiple search heads with a load balancer and then you can send all users to one place and SH pooling takes care of having all users see what is expected.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...