Deployment Architecture

How can index clusters and search head clusters interact with each other in Splunk Enterprise on AWS?

shivam99aa
Engager

I am trying to learn Splunk and understand how to install Splunk enterprise on AWS.

While reading through the documentation I came across index clusters and head search clusters in Splunk, but there is no documentation(which I can find) showing how these 2 clusters interact with each other.

Quick Start Guide is setting up both indexer cluster and search head cluster in one environment but even in this, there is no mention of how these 2 work together and relate with each other.

Any reference to relevant doc or explanation will be great.

Since I cannot make hyperlink, URL for quick start guide is https://s3.amazonaws.com/quickstart-reference/splunk/enterprise/latest/doc/splunk-enterprise-on-the-...

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Search head clusters and indexer clusters are two entirely independent types of clusters used for entirely different purposes.

Indexer clusters connect together multiple indexers so they share data for redundancy or performance, spread out the "indexer side" of the search load (which can be most of it, depending on your searches) and so on. It supports data replication, inputs load balancing, all that sort of stuff.

Search Head clusters (SHC) are a way to build a cluster of search heads. So much like indexer clustering only it handles users, dispatching searches, displaying the data and so on.

The two interact mainly via a simple mechanism.

Search heads (and search head clusters) search the data held on Indexers (and indexer clusters). That's really about it. You can have a SHC search a single indexer, you can have a single SH search an Indexer cluster. Or a single SH search a single Indexer. Or a SHC search a Indexer cluster.

For those different scenarios, the only real difference is the setup of the indexer/SH side of thing with respect to the cluster. Once that cluster is set up, the interaction between the two is defined by Settings/Distributed Search.

Does that help?
Happy Splunking!
-Rich

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Search head clusters and indexer clusters are two entirely independent types of clusters used for entirely different purposes.

Indexer clusters connect together multiple indexers so they share data for redundancy or performance, spread out the "indexer side" of the search load (which can be most of it, depending on your searches) and so on. It supports data replication, inputs load balancing, all that sort of stuff.

Search Head clusters (SHC) are a way to build a cluster of search heads. So much like indexer clustering only it handles users, dispatching searches, displaying the data and so on.

The two interact mainly via a simple mechanism.

Search heads (and search head clusters) search the data held on Indexers (and indexer clusters). That's really about it. You can have a SHC search a single indexer, you can have a single SH search an Indexer cluster. Or a single SH search a single Indexer. Or a SHC search a Indexer cluster.

For those different scenarios, the only real difference is the setup of the indexer/SH side of thing with respect to the cluster. Once that cluster is set up, the interaction between the two is defined by Settings/Distributed Search.

Does that help?
Happy Splunking!
-Rich

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...