Deployment Architecture

Can a search head cluster be implemented without integrating with deployer?

jet1276
Path Finder

I have a standalone search head connected to only one search peer. Now I am introducing another search head to the environment and trying to implement a search head cluster with two search heads.

Now can I achieve that without integrating these search heads with a deployer instance OR deployer is mandatory to implement search head cluster?

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

@jet1276, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma

ddrillic
Ultra Champion

gjanders
SplunkTrust
SplunkTrust

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

jet1276
Path Finder
  1. Even if I use two search heads instead of three, still I should be able to use them as my search head cluster right?? Only thing is I won't able to get node failure benefit.
  2. Even though it being part of the architecture, can it be bypassed or not??
0 Karma

gjanders
SplunkTrust
SplunkTrust

(1) Yes I ran 2 nodes in development before I understood the issues, occasionally they did get stuck in the scenario where there was no elected captain (it was development so it was for Splunk testing only), eventually we built a 3rd and that resolved the issue.

(2) No, a deployer is what deploys the apps to the search heads in a cluster, they can also contact it on startup to ensure they have the current bundle of apps...so you will need a deployer, your deployer server might also be a cluster master but you will need a server to place the shcluster directory on and to apply the shcluster bundle...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!