Deployment Architecture

Do all server configurations need to be identical for both indexer and search head clustering environments?

krishnarajapant
Path Finder

Hi Experts,

I have gone through the Capacity planning document and derived my Splunk server configurations based on the requirement.

I have two search heads and two indexers each in two sites with multisite indexer clustering and search head clustering. Total I have 4 search heads, 1 Search head deployer, 4 indexers, 1 masternode and 1 deployment server.

Somewhere I read in Splunk documentation that, for search head and indexer clustering environments, we should have all the server configurations be identical, but am not able to recollect the document name.

Can any one please confirm, whether we required all the server configurations identical if we are going with search head and indexer clustering?

With Regards,
Krishna Rajapantula.

0 Karma

nnmiller
Contributor

It is best practices to have all configurations in an IDX cluster the same; this is also the recommendation for SH clusters.

Index Cluster Deployment Overview may help, as may About Search Head Clustering.

Based on my own work with these two technologies, keeping slightly different indexer configurations seems possible, but I can't imagine any reason you'd want to, outside of migrating a legacy non-clustered indexer into a cluster. For search heads, I wouldn't even attempt such.

krishnarajapant
Path Finder

Thanks Miller for your response.

Also,

We have two search heads and two indexers each in search head & Index clustering with two sites. We have totally 4 search heads and 4 indexers, 1 masternode, 1 deployer and 1 deployment server as per our design.

We are planning to provision our servers in AWS cloud so we would like to know the Server configuration with which we have to go with for the below requirement.

Concurrent users: 25
Saved Searched: 15
Licensing model : 100GB/day
Site replication factor: origin:2, site1:1, total:3

0 Karma

nnmiller
Contributor

So long as the AWS instances meet the minimum hardware requirements from Splunk, that configuration should easily handle 100GB, and still allow you to grow your license volume at least 2x, and possibly 3-4x assuming you are using forwarders to distribute to all the indexers in a given site or monitoring files. Using UDP or TCP listener on an indexer has a serious negative impact on performance. If you need to run such a listener, stand up a forwarder for it (HF or UF).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...