Deployment Architecture

Can a search head cluster search across several indexer clusters?

Explorer

Here are my requirements:
- storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)
- searching across all sites

My current design is the following:
- 3 completely independent index clusters in different sites with no replication between them
- 1 search head cluster (with a load balancer in front), that would use the 3 indexer clusters as its search peers

Is that even possible?
I think I understood that a single search head can search across several indexer clusters, but I am not entirely sure the search head cluster allows for that.

Also, do I need to add a search head inside each indexer cluster to make this whole system to work? Or should I only do that if I want each indexer cluster to be searchable on its own?

0 Karma
1 Solution

Communicator

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

View solution in original post

SplunkTrust
SplunkTrust

Regarding the following requirement:

storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)

The moment you give all the members in your search head cluster the ability to search across all your indexer clusters, that requirement might be difficult to meet unless you place all your search head cluster members in one site.
Keep in mind your data might be store in one place but the moment you search it from your search head, the data is already there, on that particular search head.

It is not a easy requirement to meet if there are legal implications around it. Another approach would be to use a Heavy Forwarder and allow local indexing and searching there. Then using the indexAndForward flag, index your country-specific data there and forward the non-specific one to the next hop.

An easier approach would be to join your individual search heads with the relevant indexer cluster and configure them to search only there, but that would be against your second requirement.

Hope that helps

0 Karma

Explorer

Thank you so much giving me more feedback on the requirement, it really helps. I will take this point into further consideration.

0 Karma

Communicator

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

View solution in original post

Explorer

You will only need one Searchhead

Do you mean that using a searchhead cluster to go through all my indexer clusters data is useless?

0 Karma

Communicator

Still an issue on 7.03 SearchHeads, thanks for that, saved a lot of time!

0 Karma

Communicator

No, of course not. I was just answering your question whether you need a searchhead for each indexer cluster.

With a searchhead cluster, the configuration will work the same way. You need to configure each cluster master on each searchhead.

Another doc:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/SHCandindexercluster

0 Karma

Explorer

Thank you so much!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!