Deployment Architecture

In a Splunk cluster, is it good practice to have indexer peers to be as search peers?

neltonk
Path Finder

Hi, I have just installed a Splunk cluster. My configuration is supposed to be 1 Master(also the licensing master) , 3 peers, 1 search head.
However after installation in the cluster dashboard on the master, I see two search heads.

In the search heads tab in the clustering dashboard of the master, I see two search heads listed. I dont see any option to remove the master node.

The master node has automatically assigned it self as search head? is this correct? if no, how do I correct this situation?

The Search Head dashboard, I see the cluster Master listed correctly. Under Search peers in Distributed Search, I see the 3 indexer peers listed as search peers. the master node is not listed as search peer. It does not reflect the master node dashboard. is it a good practice to have indexer peers to be as search peers? I am confused here and need some help.

I am new to splunk and have not attended the clustering training yet, so please I need help.

0 Karma
1 Solution

DalJeanis
Legend

Per Nadine, one of my favorite Splunkers, the Cluster Master is always a search head. That does not mean that you let people search from it, it just means that one of its functions is gathering data from the other boxes. Presumably, you have also established the Monitoring Console on the same box.

Here is some background terminology, with links ...

1) A search head that is not an indexer itself is called a "dedicated search head".

https://docs.splunk.com/Splexicon:Searchhead

2) Indexers in a cluster are referred to as "peers" or "peer nodes" or "search peers".

https://docs.splunk.com/Splexicon:Searchpeer
https://docs.splunk.com/Splexicon:Peernode

3) The master node is not an indexer, so it is not a search peer.

https://docs.splunk.com/Splexicon:Masternode

4) All of the above, including search heads, are the different types of "indexer cluster nodes".

https://docs.splunk.com/Splexicon:Clusternode

View solution in original post

DalJeanis
Legend

Per Nadine, one of my favorite Splunkers, the Cluster Master is always a search head. That does not mean that you let people search from it, it just means that one of its functions is gathering data from the other boxes. Presumably, you have also established the Monitoring Console on the same box.

Here is some background terminology, with links ...

1) A search head that is not an indexer itself is called a "dedicated search head".

https://docs.splunk.com/Splexicon:Searchhead

2) Indexers in a cluster are referred to as "peers" or "peer nodes" or "search peers".

https://docs.splunk.com/Splexicon:Searchpeer
https://docs.splunk.com/Splexicon:Peernode

3) The master node is not an indexer, so it is not a search peer.

https://docs.splunk.com/Splexicon:Masternode

4) All of the above, including search heads, are the different types of "indexer cluster nodes".

https://docs.splunk.com/Splexicon:Clusternode

nnmiller
Contributor

This is normal behavior. An index cluster master is also a search head -- that's how it populates all the cluster master's "indexer clustering" information. A standalone License Master, if added to the monitoring console would also have the role of "Search Head", since that's where the license dashboards are generated.

0 Karma

neltonk
Path Finder

Thanks a lot for the quick response

0 Karma

DalJeanis
Legend

Don't panic. We'll help you get yourself straightened out.

0 Karma

neltonk
Path Finder

Thanks a lot for the quick response. I can now proceed with the next steps...

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...