Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cluster Architecture Splunk Best Practice

azer271
Explorer
‎12-19-2024 05:24 AM

Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search head) as members of the indexer cluster, (at least that is what I hear from the architecture lesson).

For example, there is a Splunk deployer. I need to use this command or achieved through web:

splunk edit cluster-config -mode searchhead -manager_uri https://x.x.x.x:8089 (indexer cluster manager IP) -secret idxcluster

Another one suggested practice is adding the Splunk servers (mention above such as deployers) to distributed search > search peers as well in manager.

I would like to know why these are good practice and what are the benefits of doing these. (The deployer is not really a search head?)

Thank you.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-19-2024 05:44 AM

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

  • you need an Indexer Cluster?
  • if yes, mono site or multi site?
  • you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
yesterday

Hi @azer271 ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top