Deployment Architecture

Component wise priority to deploy search head cluster and indexer cluster

rajeev_ku
Path Finder

Hi,

We are planning to deploy search head cluster, indexer cluster, with master node, deployment server for PoC use.
Could anyone have the document from where i can find which component should deploy/configure first?
Configure and start, indexer server first or master node fist or search head first.

Thanks
Rajeev

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

You need to understand the general architecture and flow of traffic, you can read the architecting Splunk docs at : http://docs.splunk.com/Documentation/Splunk/6.4.2/Deploy/Distributedoverview.

Short Answer, based on deployment experience, here is the order you would build this, with a short explanation:

1) Master Node (Cluster Master) - This needs to be configured before the indexing tier can connect and join a cluster or before SH can search the Indexer Cluster
2) Indexing Tier (Indexers) - These connect to the Master node and once Search Factor and Replication Factor are met, start indexing
3) Deployment Server / Deployer - If you are using a Search Head Cluster, you will need a deployer configured. Otherwise, you should use a Deployment Server for managing your SH / UF
4) Search Heads - Configure your search head and join it to the Master Node. (It can search your indexer cluster now..)
5) HF / UF's - Get data into your cluster!

When deploying in the field, this is the general order for building out and deploying. This is generally the easiest process in my opinion. It allows a clear and easy method for testing connectivity and data flow into your Aggregation and Indexing Tiers.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

You need to understand the general architecture and flow of traffic, you can read the architecting Splunk docs at : http://docs.splunk.com/Documentation/Splunk/6.4.2/Deploy/Distributedoverview.

Short Answer, based on deployment experience, here is the order you would build this, with a short explanation:

1) Master Node (Cluster Master) - This needs to be configured before the indexing tier can connect and join a cluster or before SH can search the Indexer Cluster
2) Indexing Tier (Indexers) - These connect to the Master node and once Search Factor and Replication Factor are met, start indexing
3) Deployment Server / Deployer - If you are using a Search Head Cluster, you will need a deployer configured. Otherwise, you should use a Deployment Server for managing your SH / UF
4) Search Heads - Configure your search head and join it to the Master Node. (It can search your indexer cluster now..)
5) HF / UF's - Get data into your cluster!

When deploying in the field, this is the general order for building out and deploying. This is generally the easiest process in my opinion. It allows a clear and easy method for testing connectivity and data flow into your Aggregation and Indexing Tiers.

rajeev_ku
Path Finder

Thank you so much for such a descriptive and prompt response.

0 Karma

TStrauch
Communicator

Hi,

i dont know if there is a document which gives you the information of deploying a complete infrastructure like this.

The way you should do is.

  1. Clustermaster/Deploymentserver
  2. Indexer
  3. Searchhead/SH-Cluster

To deploy and configure the single points of your infrastructure just search on docs.splunk.com instructions. Its well documented.

Greets

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...