Solved: Can a search head cluster be implemented without i...

jet1276 · ‎09-13-2017

I have a standalone search head connected to only one search peer. Now I am introducing another search head to the environment and trying to implement a search head cluster with two search heads.

Now can I achieve that without integrating these search heads with a deployer instance OR deployer is mandatory to implement search head cluster?

gjanders · ‎09-13-2017

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

lfedak_splunk · ‎09-13-2017

@jet1276, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

ddrillic · ‎09-13-2017

The following says System requirements and other deployment considerations for search head clusters

gjanders · ‎09-13-2017

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

jet1276 · ‎09-13-2017

Even if I use two search heads instead of three, still I should be able to use them as my search head cluster right?? Only thing is I won't able to get node failure benefit.
Even though it being part of the architecture, can it be bypassed or not??

gjanders · ‎09-13-2017

(1) Yes I ran 2 nodes in development before I understood the issues, occasionally they did get stuck in the scenario where there was no elected captain (it was development so it was for Splunk testing only), eventually we built a 3rd and that resolved the issue.

(2) No, a deployer is what deploys the apps to the search heads in a cluster, they can also contact it on startup to ensure they have the current bundle of apps...so you will need a deployer, your deployer server might also be a cluster master but you will need a server to place the shcluster directory on and to apply the shcluster bundle...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Can a search head cluster be implemented without integrating with deployer?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk