Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cluster Architecture Splunk Best Practice

azer271
Path Finder
‎12-19-2024 05:24 AM

Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search head) as members of the indexer cluster, (at least that is what I hear from the architecture lesson).

For example, there is a Splunk deployer. I need to use this command or achieved through web:

splunk edit cluster-config -mode searchhead -manager_uri https://x.x.x.x:8089 (indexer cluster manager IP) -secret idxcluster

Another one suggested practice is adding the Splunk servers (mention above such as deployers) to distributed search > search peers as well in manager.

I would like to know why these are good practice and what are the benefits of doing these. (The deployer is not really a search head?)

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-19-2024 05:44 AM

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

  • you need an Indexer Cluster?
  • if yes, mono site or multi site?
  • you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-19-2024 05:44 AM

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

  • you need an Indexer Cluster?
  • if yes, mono site or multi site?
  • you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-06-2025 06:51 AM

Hi @azer271 ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...