Deployment Architecture

Do all server configurations need to be identical for both indexer and search head clustering environments?

Path Finder

Hi Experts,

I have gone through the Capacity planning document and derived my Splunk server configurations based on the requirement.

I have two search heads and two indexers each in two sites with multisite indexer clustering and search head clustering. Total I have 4 search heads, 1 Search head deployer, 4 indexers, 1 masternode and 1 deployment server.

Somewhere I read in Splunk documentation that, for search head and indexer clustering environments, we should have all the server configurations be identical, but am not able to recollect the document name.

Can any one please confirm, whether we required all the server configurations identical if we are going with search head and indexer clustering?

With Regards,
Krishna Rajapantula.

0 Karma


It is best practices to have all configurations in an IDX cluster the same; this is also the recommendation for SH clusters.

Index Cluster Deployment Overview may help, as may About Search Head Clustering.

Based on my own work with these two technologies, keeping slightly different indexer configurations seems possible, but I can't imagine any reason you'd want to, outside of migrating a legacy non-clustered indexer into a cluster. For search heads, I wouldn't even attempt such.

Path Finder

Thanks Miller for your response.


We have two search heads and two indexers each in search head & Index clustering with two sites. We have totally 4 search heads and 4 indexers, 1 masternode, 1 deployer and 1 deployment server as per our design.

We are planning to provision our servers in AWS cloud so we would like to know the Server configuration with which we have to go with for the below requirement.

Concurrent users: 25
Saved Searched: 15
Licensing model : 100GB/day
Site replication factor: origin:2, site1:1, total:3

0 Karma


So long as the AWS instances meet the minimum hardware requirements from Splunk, that configuration should easily handle 100GB, and still allow you to grow your license volume at least 2x, and possibly 3-4x assuming you are using forwarders to distribute to all the indexers in a given site or monitoring files. Using UDP or TCP listener on an indexer has a serious negative impact on performance. If you need to run such a listener, stand up a forwarder for it (HF or UF).

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...