Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Clustering queries

SplunkFu
Path Finder
‎04-03-2013 09:08 AM

Hi there,

We are currently looking at the using clustering to introduce redundancy/HA into the deployment. I have a few questions which I may have missed in the documentation...

  1. Is there a minimum number of peer nodes that can be used in a cluster? - we are looking at 2 nodes, are there any major restrictions to this setup?
  2. In the documentation it states that a reference server should suffice for the master node, however as it is not performing any indexing/searching does it require that much in specification?
  3. Any issues with using clustering with the ES App?
  4. Are there any issues in having a search head searching between clustered and non-clustered indexers/nodes?
  5. Finally, I didn't see any notes on how to calculate storage requirements for clustering. Any thoughts?

Thanks in advance, and I look forward to your help 🙂

Best regards...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-03-2013 01:35 PM
  1. No, two indexer nodes is fine.
  2. You can and probably should use a much smaller server for the master node. It doesn't need anything near the storage or CPU of any indexer. Probably a dual-core machine with 2 or 4 GB of memory and no big storage is fine.
  3. There should not be, except that summaries/tsidxstats will not be stored on the cluster
  4. You can not do this. A search head can search many non-clustered nodes, or it can search many clusters, but it can't do both. It's probably worth making an Enhancement Request for this if you want it
  5. http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-03-2013 01:35 PM
  1. No, two indexer nodes is fine.
  2. You can and probably should use a much smaller server for the master node. It doesn't need anything near the storage or CPU of any indexer. Probably a dual-core machine with 2 or 4 GB of memory and no big storage is fine.
  3. There should not be, except that summaries/tsidxstats will not be stored on the cluster
  4. You can not do this. A search head can search many non-clustered nodes, or it can search many clusters, but it can't do both. It's probably worth making an Enhancement Request for this if you want it
  5. http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations
Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎04-04-2013 12:43 AM

also... how do I submit an enhancement request... not done one before.

0 Karma
Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎04-04-2013 12:42 AM

Thanks for the response, very helpful... can't believe I missed that webpage.

0 Karma
Reply
Solved! Jump to solution

Steve_G_
Splunk Employee
Splunk Employee
‎04-03-2013 11:34 AM

I can help with a few of these:

Minimum number of peer nodes: Depends of course on your availability needs, but you can certainly set up a cluster with just two peer nodes.

Storage requirements: Many factors enter into it, but there's some pretty extensive documentation here: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎04-05-2013 05:51 AM

Ahh right, okay that's great thanks. Will do, thanks

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-04-2013 08:00 AM

You can submit a enhancement request by submitting a case here https://www.splunk.com/page/submit_issue and setting it to priority level P4.

0 Karma
Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎04-04-2013 12:41 AM

Thanks for the response... completely missed that documentation page... thought I clicked through them all. +1

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...