Deployment Architecture

If search head clustering can use "commodity" hardware, is there any reason I can't cluster 10 cpu servers to meet search requirements?

a212830
Champion

I have a question about using search-head clustering. If it can truly use "commodity" hardware, is there any reason that I can't cluster together a bunch of 4 cpu servers, to meet my search requirements? I find that Splunk uses the term "commodity" hardware very loosely. Why couldn't I have 10 servers, for example, providing the search-head clustering capability?

0 Karma
1 Solution

_d_
Splunk Employee
Splunk Employee

You can cluster search heads as long they satisfy the minimum Splunk Enterprise system requirements.

View solution in original post

_d_
Splunk Employee
Splunk Employee

You can cluster search heads as long they satisfy the minimum Splunk Enterprise system requirements.

a212830
Champion

That's not really an answer, and certainly not the one that I get from prof services. By itself, a 4 cpu server for a search-head should be fine - it depends on the number of searches that are performed on it. So, if I scale it out, would it work? If not, why not?

0 Karma

_d_
Splunk Employee
Splunk Employee

So, what is your actual question then? Is it about scaling of Search Head Clustering or whether or not you can cluster 10 servers or are you looking for advice on whether clustering 10 4CPU machines is a good idea? They're all completely different questions, but i'll address them here for you:
- Yes, SHC scales
- Yes, SHC will work on 10 machines
- Creating a 10 node cluster of 4CPU machines is not necessarily a good idea. 4CPU machines are really difficult to find nowadays and therefore they're not commodity. You are more likely to find 12, 16 CPU machines than anything else in today's market. Chances are you're referring to VMs, in which case you're much better off with a lower number of machines with more cores than the opposite. Anytime you introduce a overlay mechanism, such as clustering, you're inevitably paying one way or another with overhead - nothing is free - so, the fewer machines that you can use that satisfy your requirement, the better. If you have 10 4CPU VMs you'd have a better experience if you make them into 5 8CPU VMs.

a212830
Champion

Thanks. Yes, that's the type of situation that I'm trying to understand. I am looking at using vm's instead of physical servers, and scaling them horizontally.

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...