Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Splunk support two search head clusters with one indexer cluster?

ankithreddy777
Contributor
‎01-10-2017 10:03 AM

Does Splunk support two search head clusters with one indexer cluster? Basically we have 3 search heads clustered. we want to add other 3 search heads which should be separately clustered. Is it possible?

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-10-2017 11:43 AM

Yes you can. One indexer cluster can be searched by multiple search head clusters and vice versa. You need to do following steps on each member of both SHC.

http://docs.splunk.com/Documentation/Splunk/6.5.1/DistSearch/SHCandindexercluster

View solution in original post

Reply
Solved! Jump to solution

lgely
Explorer
‎07-08-2017 02:04 PM

Yes ! You can have 2 Search Head Cluster and only one indexer cluster and request same data from each one

SHC 1 : at least 3 SH + Deployer1
SHC 2 : at least 3 SH + Deployer2
=> you need have one deployer by SHC to deploy apps on SHC 1 and other apps on SHC 2

The difference is in server.conf :
same keypass under [clustering] stanza to exchange with master node of your cluster indexer
but
different keypass under [shclustering] stanza to have 2 SHC

example server.conf on one SH of your new SHC
[shclustering]
conf_deploy_fetch_url = https://ip_deployer2:8089
disabled = 0
mgmt_uri = https://ip_new_sh:8089
pass4SymmKey = < NEW keypass between SH/deployer for your new cluster >
shcluster_label = sh_cluster2
id = XXXXXXXXXXXXXXXXXXXXXXXXXXXX

[clustering]
master_uri = https://same_ip_on_each_SH:8089
mode = searchhead
pass4SymmKey = < same keypass you have on your master node >

[general]
serverName = sh01_cluster2
pass4SymmKey = < same keypass you have on your licence server >

[license]
master_uri = https://same_ip_on_each_SHC:8089

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-10-2017 11:43 AM

Yes you can. One indexer cluster can be searched by multiple search head clusters and vice versa. You need to do following steps on each member of both SHC.

http://docs.splunk.com/Documentation/Splunk/6.5.1/DistSearch/SHCandindexercluster

Reply
Solved! Jump to solution

niketn
Legend
‎01-10-2017 10:31 AM

Splunk Search Head Clustering requires minimum three search heads.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...