Deployment Architecture

Best practices to create a search head cluster

llacoste
Path Finder

Hi all,

 

So I was wondering as I was writing some docs today and playing around creating some clusters... I was always taught and always read that you should not use the Deployment Server to create a Search Head Cluster as the /etc/apps gets wiped by the Deployer whenever the Search Heads turn into a cluster. That much I understand.

That's why we always use CLI to initialise the SHs and then bootstrap the captain and attach to the Cluster Master.

But, I was wondering as I was going through my Splunk Core Consultant notes, in one of the PPT slides I remember I saw a comment stating something like: /etc/apps would be wiped and you would have to deploy those configurations again in the /etc/shcluster/apps in the deployer.

 

So, what is the 'official' best practice on a "Professional Services Consultant level" around that Search Head clustering? I am using all the official splunk base apps already to install my clusters but when it comes to the SH Cluster I always go CLI..

 

Thank you for your time and answer 🙂

Labels (1)
0 Karma

llacoste
Path Finder

I see it's as clear for you it is for me 😄

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.