Deployment Architecture

Are there any advantages to having Indexes on Search Heads in an Index Cluster Environment?

Gregski11
Explorer

Hi All 

I have limited experience with Splunk (just over a year) and I joined a new team with a pretty hefty Splunk roll out, many search heads, a large Index cluster (sorry I can't give away the details)

anyway I noticed that there are like 50 Indexes on the Index Cluster as shown on the Cluster Master yet some of the Search Heads (which are not clustered by the way, just letting you know) have maybe 75 or up to 95 Indexes on them, I see that these Search Heads are set up to forward their Indexes to the Index Clusters but I don't get two things:

1. how do you fit 75 Indexes from the Search Head into 50 Indexes on the Index Cluster, ha ha

2. are there any advantages or disadvantages to having local Indexes on the Search Heads which are totally empty and just forward them to the Index Cluster?  why would anyone do that?

I hope you followed all that and can educate me on it, thank you

Labels (1)
0 Karma

scelikok
Champion

Hi @Gregski11,

On Indexer Cluster only indexers defined in Cluster Master are active. Since search head is forwarding its events to cluster it is normal all its indexes are empty. 

It is a best practice to put a copy of indexes.conf to Search Heads too. This will make autocomplete work on search bar that helps users to remember index names.

If this reply helps you an upvote is appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!