Re: Best practices to create a search head cluster

llacoste · ‎12-18-2020

Hi all,

So I was wondering as I was writing some docs today and playing around creating some clusters... I was always taught and always read that you should not use the Deployment Server to create a Search Head Cluster as the /etc/apps gets wiped by the Deployer whenever the Search Heads turn into a cluster. That much I understand.

That's why we always use CLI to initialise the SHs and then bootstrap the captain and attach to the Cluster Master.

But, I was wondering as I was going through my Splunk Core Consultant notes, in one of the PPT slides I remember I saw a comment stating something like: /etc/apps would be wiped and you would have to deploy those configurations again in the /etc/shcluster/apps in the deployer.

So, what is the 'official' best practice on a "Professional Services Consultant level" around that Search Head clustering? I am using all the official splunk base apps already to install my clusters but when it comes to the SH Cluster I always go CLI..

Thank you for your time and answer 🙂

llacoste · ‎12-19-2020

I see it's as clear for you it is for me 😄

Best practices to create a search head cluster

search head clustering

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Best practices to create a search head cluster

search head clustering

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)