Deployment Architecture

Are there any advantages to having Indexes on Search Heads in an Index Cluster Environment?


Hi All 

I have limited experience with Splunk (just over a year) and I joined a new team with a pretty hefty Splunk roll out, many search heads, a large Index cluster (sorry I can't give away the details)

anyway I noticed that there are like 50 Indexes on the Index Cluster as shown on the Cluster Master yet some of the Search Heads (which are not clustered by the way, just letting you know) have maybe 75 or up to 95 Indexes on them, I see that these Search Heads are set up to forward their Indexes to the Index Clusters but I don't get two things:

1. how do you fit 75 Indexes from the Search Head into 50 Indexes on the Index Cluster, ha ha

2. are there any advantages or disadvantages to having local Indexes on the Search Heads which are totally empty and just forward them to the Index Cluster?  why would anyone do that?

I hope you followed all that and can educate me on it, thank you

Labels (1)
0 Karma


Hi @Gregski11,

On Indexer Cluster only indexers defined in Cluster Master are active. Since search head is forwarding its events to cluster it is normal all its indexes are empty. 

It is a best practice to put a copy of indexes.conf to Search Heads too. This will make autocomplete work on search bar that helps users to remember index names.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...