- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to migrate Single distributed search head to S...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We are planning to migrate Single distributed search head to Search Head cluster with 3 members and would like to use existing Cluster Master which also acts as License Master and Deployment server (around 20 Universal Forwarders) as Deployer for Search Head Cluster members. Is it a good idea to run the environment like this? It would be very helpful if you have any suggestions. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
good is a relative term.
there are also many other variables to consider, such as:
what OS are you running on?
How many indexers?
How many indexes? and how many buckets are replicated per hour?
how much data is being indexed daily?
What are your VM specs? CPU, Memory?
in any case, although splunk best practices to have a single machine to each role (license Master, Cluster Master, Deployer, Deployment Server) and Splunk says not to have Deployment Server with Cluster Master under any circumstances (which you already doing), i have seen many deployments with shared splunk server roles
read here all the way:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Systemrequirements
elaborated answer here:
https://answers.splunk.com/answers/380825/possible-combinations-of-splunk-instances-with-dif.html
to sum it up, it is a poor practice, but it will work
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
good is a relative term.
there are also many other variables to consider, such as:
what OS are you running on?
How many indexers?
How many indexes? and how many buckets are replicated per hour?
how much data is being indexed daily?
What are your VM specs? CPU, Memory?
in any case, although splunk best practices to have a single machine to each role (license Master, Cluster Master, Deployer, Deployment Server) and Splunk says not to have Deployment Server with Cluster Master under any circumstances (which you already doing), i have seen many deployments with shared splunk server roles
read here all the way:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Systemrequirements
elaborated answer here:
https://answers.splunk.com/answers/380825/possible-combinations-of-splunk-instances-with-dif.html
to sum it up, it is a poor practice, but it will work
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @adonio,
Thank you for the feedback. We have very less indexing rate (ingesting 10GB/day) in that environment and mainly used for testing purpose and want to make that environment identical to production.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
