Deployment Architecture

Best practices to create a search head cluster

Path Finder

Hi all,


So I was wondering as I was writing some docs today and playing around creating some clusters... I was always taught and always read that you should not use the Deployment Server to create a Search Head Cluster as the /etc/apps gets wiped by the Deployer whenever the Search Heads turn into a cluster. That much I understand.

That's why we always use CLI to initialise the SHs and then bootstrap the captain and attach to the Cluster Master.

But, I was wondering as I was going through my Splunk Core Consultant notes, in one of the PPT slides I remember I saw a comment stating something like: /etc/apps would be wiped and you would have to deploy those configurations again in the /etc/shcluster/apps in the deployer.


So, what is the 'official' best practice on a "Professional Services Consultant level" around that Search Head clustering? I am using all the official splunk base apps already to install my clusters but when it comes to the SH Cluster I always go CLI..


Thank you for your time and answer 🙂

Labels (1)
0 Karma

Path Finder

I see it's as clear for you it is for me 😄

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...