Here are my requirements:
- storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)
- searching across all sites
My current design is the following:
- 3 completely independent index clusters in different sites with no replication between them
- 1 search head cluster (with a load balancer in front), that would use the 3 indexer clusters as its search peers
Is that even possible?
I think I understood that a single search head can search across several indexer clusters, but I am not entirely sure the search head cluster allows for that.
Also, do I need to add a search head inside each indexer cluster to make this whole system to work? Or should I only do that if I want each indexer cluster to be searchable on its own?
Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.
There's a good doc about it, please have a look at
http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch
Regarding the following requirement:
storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)
The moment you give all the members in your search head cluster the ability to search across all your indexer clusters, that requirement might be difficult to meet unless you place all your search head cluster members in one site.
Keep in mind your data might be store in one place but the moment you search it from your search head, the data is already there, on that particular search head.
It is not a easy requirement to meet if there are legal implications around it. Another approach would be to use a Heavy Forwarder and allow local indexing and searching there. Then using the indexAndForward flag, index your country-specific data there and forward the non-specific one to the next hop.
An easier approach would be to join your individual search heads with the relevant indexer cluster and configure them to search only there, but that would be against your second requirement.
Hope that helps
Thank you so much giving me more feedback on the requirement, it really helps. I will take this point into further consideration.
Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.
There's a good doc about it, please have a look at
http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch
You will only need one Searchhead
Do you mean that using a searchhead cluster to go through all my indexer clusters data is useless?
Still an issue on 7.03 SearchHeads, thanks for that, saved a lot of time!
No, of course not. I was just answering your question whether you need a searchhead for each indexer cluster.
With a searchhead cluster, the configuration will work the same way. You need to configure each cluster master on each searchhead.
Another doc:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/SHCandindexercluster
Thank you so much!