My current Splunk setup is
1- stand alone search
1 - master node
3 - indexer(clustering)
Future Splunk setup
3- search head (clustering)
1- master node
3 - indexer (clustering)
I would like to implement clustering setup for search head. i need your opinion to do this without affecting the service. If there is any wiki please let me know. thank you.
first of all, take a look at the documentation here.
Basically, what you want to do, is, enabling your master for all the servers in the configuration files (described in the documentation). Additionally, you will need a deployer (can be ran on the server where the master is hosted). The deployer will manage the Search Head cluster. After setting up master and deployer accordingly, you will then create the indexer cluster.
Please note that it's not possible to migrate your current buckets into clustered (replicated) buckets on your own. Atleast it's not recommended to do so.
After succesfully setting up the Indexer cluster, you will proceed with the Search Head cluster.
Why are you going towards SHC? You should only do this if you need more concurrent search capability. SHC is NOT a DR/HA solution (it actually makes it less stable).
thanks for the update. the reason why i want to go for this setup is that, when many people start searching for the data , it will create the lot of load on search node. am i right? is this how splunk work ? sorry i am new to the splunk. i am not sure whether the load create on search node or indexer.
i am looking for the similar setup. my main concern is load on search node. If i want to do the setup like above, will it be stable ? is there any difficulty i will face ?