Deployment Architecture

Cluster Architecture Splunk Best Practice

azer271
Path Finder

Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search head) as members of the indexer cluster, (at least that is what I hear from the architecture lesson).

For example, there is a Splunk deployer. I need to use this command or achieved through web:

splunk edit cluster-config -mode searchhead -manager_uri https://x.x.x.x:8089 (indexer cluster manager IP) -secret idxcluster

Another one suggested practice is adding the Splunk servers (mention above such as deployers) to distributed search > search peers as well in manager.

I would like to know why these are good practice and what are the benefits of doing these. (The deployer is not really a search head?)

Thank you.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

  • you need an Indexer Cluster?
  • if yes, mono site or multi site?
  • you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

  • you need an Indexer Cluster?
  • if yes, mono site or multi site?
  • you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @azer271 ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...