Solved: Cluster Architecture Splunk Best Practice

azer271 · ‎12-19-2024

Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search head) as members of the indexer cluster, (at least that is what I hear from the architecture lesson).

For example, there is a Splunk deployer. I need to use this command or achieved through web:

splunk edit cluster-config -mode searchhead -manager_uri https://x.x.x.x:8089 (indexer cluster manager IP) -secret idxcluster

Another one suggested practice is adding the Splunk servers (mention above such as deployers) to distributed search > search peers as well in manager.

I would like to know why these are good practice and what are the benefits of doing these. (The deployer is not really a search head?)

Thank you.

gcusello · ‎12-19-2024

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

you need an Indexer Cluster?
if yes, mono site or multi site?
you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

View solution in original post

gcusello · ‎12-19-2024

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

you need an Indexer Cluster?
if yes, mono site or multi site?
you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

gcusello · ‎03-06-2025

Hi @azer271 ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Cluster Architecture Splunk Best Practice

deployment server

distributed search

indexer clustering

search head

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?

Cluster Architecture Splunk Best Practice

deployment server

distributed search

indexer clustering

search head

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!