Deployment Architecture

Can a search head cluster search across several indexer clusters?

maclemes
Explorer

Here are my requirements:
- storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)
- searching across all sites

My current design is the following:
- 3 completely independent index clusters in different sites with no replication between them
- 1 search head cluster (with a load balancer in front), that would use the 3 indexer clusters as its search peers

Is that even possible?
I think I understood that a single search head can search across several indexer clusters, but I am not entirely sure the search head cluster allows for that.

Also, do I need to add a search head inside each indexer cluster to make this whole system to work? Or should I only do that if I want each indexer cluster to be searchable on its own?

0 Karma
1 Solution

Raschko
Communicator

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Regarding the following requirement:

storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)

The moment you give all the members in your search head cluster the ability to search across all your indexer clusters, that requirement might be difficult to meet unless you place all your search head cluster members in one site.
Keep in mind your data might be store in one place but the moment you search it from your search head, the data is already there, on that particular search head.

It is not a easy requirement to meet if there are legal implications around it. Another approach would be to use a Heavy Forwarder and allow local indexing and searching there. Then using the indexAndForward flag, index your country-specific data there and forward the non-specific one to the next hop.

An easier approach would be to join your individual search heads with the relevant indexer cluster and configure them to search only there, but that would be against your second requirement.

Hope that helps

0 Karma

maclemes
Explorer

Thank you so much giving me more feedback on the requirement, it really helps. I will take this point into further consideration.

0 Karma

Raschko
Communicator

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

maclemes
Explorer

You will only need one Searchhead

Do you mean that using a searchhead cluster to go through all my indexer clusters data is useless?

0 Karma

claudio_manig
Communicator

Still an issue on 7.03 SearchHeads, thanks for that, saved a lot of time!

0 Karma

Raschko
Communicator

No, of course not. I was just answering your question whether you need a searchhead for each indexer cluster.

With a searchhead cluster, the configuration will work the same way. You need to configure each cluster master on each searchhead.

Another doc:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/SHCandindexercluster

0 Karma

maclemes
Explorer

Thank you so much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...