Solved: Can i have just 2 search heads in a cluster

jiaqya · ‎03-13-2019

looking to have 2 node search head cluster.
so this means i need 3 servers, ie 2 members + 1 load balancer

if i assign a static captain, then can i go ahead with 2 node search head cluster, this is for dev envirionment.

nickhills · ‎03-13-2019

Hi @jiaqya

EDIT: In my first response, I missed that you were thinking about 'dev'

In that case, and having reviewed the docs. it may be possible:
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Staticcaptain

However...
You may have some difficultiy bringing the SHC up because there will be no majority.

You can certainly use a static captain to bring up a cluster when there is no majority of surviving members, however I am not sure you will be able to initially bootstrap a cluster with just two nodes.

You could probably, build a 3 node SHC, then set a static captain and remove the third node, but this seems like a lot of effort once you have built 3 to start with

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎03-13-2019

Hi @jiaqya

EDIT: In my first response, I missed that you were thinking about 'dev'

In that case, and having reviewed the docs. it may be possible:
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Staticcaptain

However...
You may have some difficultiy bringing the SHC up because there will be no majority.

You can certainly use a static captain to bring up a cluster when there is no majority of surviving members, however I am not sure you will be able to initially bootstrap a cluster with just two nodes.

You could probably, build a 3 node SHC, then set a static captain and remove the third node, but this seems like a lot of effort once you have built 3 to start with

If my comment helps, please give it a thumbs up!

jiaqya · ‎03-13-2019

This 3 number is apart from the load balancer, correct ? so i need 4 systems..

nickhills · ‎03-13-2019

You need at least 3 search heads, and if your cluster spans more than one site/datacenter the recommendation is that you always use an odd number of members, so one site always has majority.

The load balancer can be nginx, ELB, F5, Netscaler etc (and at a pinch - DNS) - its not a Splunk sever.

If my comment helps, please give it a thumbs up!

jiaqya · ‎03-13-2019

Do i need a load balancer ? i could still access search heads directly via url right ?

nickhills · ‎03-13-2019

You can, but you will only ever hit one SH - the one whose url you used.
You can do it with DNS round robin, but this will only give you 'LOAD' balancing (and not massively effective) but it will not give you any HA or FT.

Since this is dev, you could install nginx/haproxy one one (or both) of the SHs and use it to act as a load balancer. Many of the caveats above apply, but it might help
https://sites.google.com/site/mrxpalmeiras/notes/splunk-sh-cluster-ha-proxy

If my comment helps, please give it a thumbs up!

jiaqya · ‎03-13-2019

Thanks, can you help on another one.

i am not able to locate a guide/document to setup the search head cluster.
all i am getting is what search head cluster means, but not getting steps to install one..

nickhills · ‎03-13-2019

here you go:
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/SHCdeploymentoverview

If my comment helps, please give it a thumbs up!

jiaqya · ‎03-13-2019

Thank you

Can i have just 2 search heads in a cluster

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)