Deployment Architecture

Are there any advantages to having Indexes on Search Heads in an Index Cluster Environment?

Gregski11
Path Finder

Hi All 

I have limited experience with Splunk (just over a year) and I joined a new team with a pretty hefty Splunk roll out, many search heads, a large Index cluster (sorry I can't give away the details)

anyway I noticed that there are like 50 Indexes on the Index Cluster as shown on the Cluster Master yet some of the Search Heads (which are not clustered by the way, just letting you know) have maybe 75 or up to 95 Indexes on them, I see that these Search Heads are set up to forward their Indexes to the Index Clusters but I don't get two things:

1. how do you fit 75 Indexes from the Search Head into 50 Indexes on the Index Cluster, ha ha

2. are there any advantages or disadvantages to having local Indexes on the Search Heads which are totally empty and just forward them to the Index Cluster?  why would anyone do that?

I hope you followed all that and can educate me on it, thank you

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Gregski11,

On Indexer Cluster only indexers defined in Cluster Master are active. Since search head is forwarding its events to cluster it is normal all its indexes are empty. 

It is a best practice to put a copy of indexes.conf to Search Heads too. This will make autocomplete work on search bar that helps users to remember index names.

If this reply helps you an upvote is appreciated.
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>