Deployment Architecture

Can a search head cluster be implemented without integrating with deployer?

jet1276
Path Finder

I have a standalone search head connected to only one search peer. Now I am introducing another search head to the environment and trying to implement a search head cluster with two search heads.

Now can I achieve that without integrating these search heads with a deployer instance OR deployer is mandatory to implement search head cluster?

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

View solution in original post

lfedak_splunk
Splunk Employee
Splunk Employee

@jet1276, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma

ddrillic
Ultra Champion

gjanders
SplunkTrust
SplunkTrust

The deployer is required for search head clustering and you will need 3 search heads to create a usable cluster.
Refer to Captain election process has deployment implications:

" A cluster should consist of a minimum of three members. A two-member cluster cannot tolerate any node failure. Failure of either member will prevent the cluster from electing a captain and continuing to function. Captain election requires majority (51%) assent of all members, which, in the case of a two-member cluster, means that both nodes must be running. You therefore forfeit the high availability benefits of a search head cluster if you limit it to two members."

Also the deployer is part of the search head cluster architecture

jet1276
Path Finder
  1. Even if I use two search heads instead of three, still I should be able to use them as my search head cluster right?? Only thing is I won't able to get node failure benefit.
  2. Even though it being part of the architecture, can it be bypassed or not??
0 Karma

gjanders
SplunkTrust
SplunkTrust

(1) Yes I ran 2 nodes in development before I understood the issues, occasionally they did get stuck in the scenario where there was no elected captain (it was development so it was for Splunk testing only), eventually we built a 3rd and that resolved the issue.

(2) No, a deployer is what deploys the apps to the search heads in a cluster, they can also contact it on startup to ensure they have the current bundle of apps...so you will need a deployer, your deployer server might also be a cluster master but you will need a server to place the shcluster directory on and to apply the shcluster bundle...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...