Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cluster Architecture Splunk Best Practice

azer271
Path Finder
‎12-19-2024 05:24 AM

Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search head) as members of the indexer cluster, (at least that is what I hear from the architecture lesson).

For example, there is a Splunk deployer. I need to use this command or achieved through web:

splunk edit cluster-config -mode searchhead -manager_uri https://x.x.x.x:8089 (indexer cluster manager IP) -secret idxcluster

Another one suggested practice is adding the Splunk servers (mention above such as deployers) to distributed search > search peers as well in manager.

I would like to know why these are good practice and what are the benefits of doing these. (The deployer is not really a search head?)

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-19-2024 05:44 AM

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

  • you need an Indexer Cluster?
  • if yes, mono site or multi site?
  • you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-19-2024 05:44 AM

Hi @azer271 ,

if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager.

If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster.

If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers.

The Deployer isn't a Search Head and cannot be configured as a SH.

In conclusion, what's your requirement:

  • you need an Indexer Cluster?
  • if yes, mono site or multi site?
  • you need a Search Head Cluster or a stand-alone Search Head?

Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster.

for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-06-2025 06:51 AM

Hi @azer271 ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...