Deployment Architecture

Cross Cluster Search - Single site vs Multisite

mufthmu
Path Finder

Hi,

I have a task where I need to make my search head cluster to be able to search from two different data center/indexer clusters. One in east and another one in west coast.

According to the docs below: this can be done in 2 ways; single-site or multisite:
https://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Configuremulti-clustersearch

I have some ideas of how both work but I need more in-depth explanation why one approach is better than the other (in terms of searching/indexing performance, latency, cost, maintenance, complexity, etc). I do need to bring up that I will enable Smartstore to store data to AWS S3 instead of locally in indexer nodes.

Thank you so much in advance!

 

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The document provides instructions for setting up a SHC to search more than one indexer cluster.  Choose the instructions that pertain to your existing architecture.  There is no need to change your indexers or how they are clustered.

Also, SmartStore has no bearing on cross-cluster searching.  S2 is transparent to the search heads.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mufthmu
Path Finder

Hi @richgalloway 

Thank you for your prompt answer. 

I agree that I don't need to change my indexer cluster. But the documentation only talked about how to set that up and not about the comparison of the two. I just need more help to decide which one to pick.

Also, regarding your statement "Also, SmartStore has bearing on cross-cluster searching.  S2 is transparent to the search heads." Could you please elaborate more on this?

thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since you must already have indexers in your environment, choose the instructions that correspond to your indexer architecture.  IOW, if you have a cluster manager then use it; otherwise, use individual indexers.

I left out a crucial word in my SmartStore statement.  S2 has NO bearing on how you set up distributed search.  Search heads ask indexers to search for data - they don't know or care about how the indexers obtain that data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...