Deployment Architecture

How multisite SH clusters work

sushree1234
Explorer

I have a multisite cluster with 3 sites . Which is having 6 indexers as peer nodes clustered across the 3-sites (2 indexers each) managed by a manager node . Also we have 2 SHs clusters across the 3-sites . 

SHcluster1 - total 9 SHs (we kept 3 SHs in each site) 
SHcluster2- total 6 SHs (we kept 2 SHs in each site) 
so wanted to understand how the configuration is going to be in deployer, each SHs ,manager node as this will be a multisite cluster .

As per my knowledge for multisite cluster - for single SHs config is
Configure the search heads
-----------------------------------
sudo ./splunk edit cluster-config -mode searchhead -site site1 -manager_uri <URI>:<mngmtPort> -secret <secretkey>

so likewise what will be the configuration for SH clusters in multisite .

Labels (1)
Tags (1)
0 Karma

sushree1234
Explorer

we are not going to use root user for any internal config changes , its just an example i copy pasted for reference .

And my bad , i placed the number wrongly . Its 6 SHs in 1 cluster and 3 in another (those are reporting SHs) , not for normal users . 

Could you please explain the configuration . Because in splunk doc i can see the configuration for single SH . not for SH clusters with multisite indexer cluster .

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You could found the explanation from here 

If/when your SHCs have different roles then you are needing own Deployers for both, don't use the same Deployer instance if content of those SHCs are different.

It's hard to give to you any detailed explanations about your environment without more knowledge of it. And as I said, basically you have too many SHC members (SHs) vs. Indexer peers. That is something which I cannot understand with your current information.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You have a quite interesting setup! Usually the relation between SH vs IDX is something like 1:5-7. If you have very active SHC then those put your indexer cluster on it's knees!

Can you open why you have two quite big SHC with one small IDX cluster?

How to configure site settings on your SHC side? This depends on how your SHC has physically located vs. your IDX and users. Quite often there is site affinity in use when SHC nodes haven't set in specific site. Instead they are using site0 as a site information.  In that case those nodes use are IDX peer over all sites. If you have set specific site like site1 on SHC nodes in some site then those members are used only site1's indexer peers (instead of all 6) when they are doing queries.

Based on sudo ./splunk you are running your splunk as root which against the best practices and create security risk. You should change splunk run as a separate "splunk" user instead of root. See Splunk Security Guide.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...