Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Component wise priority to deploy search head cluster and indexer cluster

rajeev_ku
Path Finder
‎08-11-2016 01:24 AM

Hi,

We are planning to deploy search head cluster, indexer cluster, with master node, deployment server for PoC use.
Could anyone have the document from where i can find which component should deploy/configure first?
Configure and start, indexer server first or master node fist or search head first.

Thanks
Rajeev

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎08-11-2016 01:56 AM

You need to understand the general architecture and flow of traffic, you can read the architecting Splunk docs at : http://docs.splunk.com/Documentation/Splunk/6.4.2/Deploy/Distributedoverview.

Short Answer, based on deployment experience, here is the order you would build this, with a short explanation:

1) Master Node (Cluster Master) - This needs to be configured before the indexing tier can connect and join a cluster or before SH can search the Indexer Cluster
2) Indexing Tier (Indexers) - These connect to the Master node and once Search Factor and Replication Factor are met, start indexing
3) Deployment Server / Deployer - If you are using a Search Head Cluster, you will need a deployer configured. Otherwise, you should use a Deployment Server for managing your SH / UF
4) Search Heads - Configure your search head and join it to the Master Node. (It can search your indexer cluster now..)
5) HF / UF's - Get data into your cluster!

When deploying in the field, this is the general order for building out and deploying. This is generally the easiest process in my opinion. It allows a clear and easy method for testing connectivity and data flow into your Aggregation and Indexing Tiers.

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎08-11-2016 01:56 AM

You need to understand the general architecture and flow of traffic, you can read the architecting Splunk docs at : http://docs.splunk.com/Documentation/Splunk/6.4.2/Deploy/Distributedoverview.

Short Answer, based on deployment experience, here is the order you would build this, with a short explanation:

1) Master Node (Cluster Master) - This needs to be configured before the indexing tier can connect and join a cluster or before SH can search the Indexer Cluster
2) Indexing Tier (Indexers) - These connect to the Master node and once Search Factor and Replication Factor are met, start indexing
3) Deployment Server / Deployer - If you are using a Search Head Cluster, you will need a deployer configured. Otherwise, you should use a Deployment Server for managing your SH / UF
4) Search Heads - Configure your search head and join it to the Master Node. (It can search your indexer cluster now..)
5) HF / UF's - Get data into your cluster!

When deploying in the field, this is the general order for building out and deploying. This is generally the easiest process in my opinion. It allows a clear and easy method for testing connectivity and data flow into your Aggregation and Indexing Tiers.

Reply
Solved! Jump to solution

rajeev_ku
Path Finder
‎08-11-2016 02:08 AM

Thank you so much for such a descriptive and prompt response.

0 Karma
Reply
Solved! Jump to solution

TStrauch
Communicator
‎08-11-2016 01:53 AM

Hi,

i dont know if there is a document which gives you the information of deploying a complete infrastructure like this.

The way you should do is.

  1. Clustermaster/Deploymentserver
  2. Indexer
  3. Searchhead/SH-Cluster

To deploy and configure the single points of your infrastructure just search on docs.splunk.com instructions. Its well documented.

Greets

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...