Deployment Architecture

Can a search head cluster be implemented without integrating with deployer?

jet1276
Path Finder

I have a standalone search head connected to only one search peer. Now I am introducing another search head to the environment and trying to implement a search head cluster with two search heads.

Now can I achieve that without integrating these search heads with a deployer instance OR deployer is mandatory to implement search head cluster?

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

@jet1276, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma

ddrillic
Ultra Champion

gjanders
SplunkTrust
SplunkTrust

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

jet1276
Path Finder
  1. Even if I use two search heads instead of three, still I should be able to use them as my search head cluster right?? Only thing is I won't able to get node failure benefit.
  2. Even though it being part of the architecture, can it be bypassed or not??
0 Karma

gjanders
SplunkTrust
SplunkTrust

(1) Yes I ran 2 nodes in development before I understood the issues, occasionally they did get stuck in the scenario where there was no elected captain (it was development so it was for Splunk testing only), eventually we built a 3rd and that resolved the issue.

(2) No, a deployer is what deploys the apps to the search heads in a cluster, they can also contact it on startup to ensure they have the current bundle of apps...so you will need a deployer, your deployer server might also be a cluster master but you will need a server to place the shcluster directory on and to apply the shcluster bundle...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...