Deployment Architecture

Can a search head cluster search across several indexer clusters?

maclemes
Explorer

Here are my requirements:
- storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)
- searching across all sites

My current design is the following:
- 3 completely independent index clusters in different sites with no replication between them
- 1 search head cluster (with a load balancer in front), that would use the 3 indexer clusters as its search peers

Is that even possible?
I think I understood that a single search head can search across several indexer clusters, but I am not entirely sure the search head cluster allows for that.

Also, do I need to add a search head inside each indexer cluster to make this whole system to work? Or should I only do that if I want each indexer cluster to be searchable on its own?

0 Karma
1 Solution

Raschko
Communicator

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Regarding the following requirement:

storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)

The moment you give all the members in your search head cluster the ability to search across all your indexer clusters, that requirement might be difficult to meet unless you place all your search head cluster members in one site.
Keep in mind your data might be store in one place but the moment you search it from your search head, the data is already there, on that particular search head.

It is not a easy requirement to meet if there are legal implications around it. Another approach would be to use a Heavy Forwarder and allow local indexing and searching there. Then using the indexAndForward flag, index your country-specific data there and forward the non-specific one to the next hop.

An easier approach would be to join your individual search heads with the relevant indexer cluster and configure them to search only there, but that would be against your second requirement.

Hope that helps

0 Karma

maclemes
Explorer

Thank you so much giving me more feedback on the requirement, it really helps. I will take this point into further consideration.

0 Karma

Raschko
Communicator

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

maclemes
Explorer

You will only need one Searchhead

Do you mean that using a searchhead cluster to go through all my indexer clusters data is useless?

0 Karma

claudio_manig
Communicator

Still an issue on 7.03 SearchHeads, thanks for that, saved a lot of time!

0 Karma

Raschko
Communicator

No, of course not. I was just answering your question whether you need a searchhead for each indexer cluster.

With a searchhead cluster, the configuration will work the same way. You need to configure each cluster master on each searchhead.

Another doc:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/SHCandindexercluster

0 Karma

maclemes
Explorer

Thank you so much!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...