Deployment Architecture

Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Federica_92
Communicator

Hi everyone,

I would like try to build a search head cluster using only 2 search heads and the master as a deployer. Is this possible?

I saw on the online documentation that at least 3 search heads are required.

masonmorales
Influencer

If you virtualize your two search heads, then yes, it is possible. You need to be running at least three instances of Splunk for a search head cluster. You can use the master as a deployer as well, but it is best practice to keep the two separate.

0 Karma

damode
Motivator

Captain_election_process_has_deployment_implications

Based on the above link,

A cluster must consist of a minimum of
three members.

Is there any workaround to this ?

0 Karma

Federica_92
Communicator

How can I virtualize the 2 search heads?

0 Karma

Federica_92
Communicator

Just ubuntu:
DISTRIB_RELEASE=14.04
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"

0 Karma

masonmorales
Influencer

Take a look at VirtualBox. It's named virtualbox-ose in the repositories.

Please choose Accept Answer if my response helped with your question.

0 Karma

masonmorales
Influencer

What Operating System are they running?

0 Karma

dflodstrom
Builder

Search head clusters must have at least 3 members.

Required number of instances

The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

    Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
    The replication factor number of instances. See "Choose the replication factor for the search head cluster." 

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity. 

http://docs.splunk.com/Documentation/Splunk/6.2.5/DistSearch/SHCsystemrequirements

Are you planning on using an existing cluster master as the deployer? Do not think that would be an issue, the deployer is basically idle until you need to push a change.

grijhwani
Motivator

It's slightly more convoluted than that, because for the election process to be guaranteed to be successful you have to have a definite majority remaining - i.e more than 50% - after the failure. If you only have two in the cluster they can fail to elect, because there could be a hung vote. With three or more it is always possible to get an absolute majority, although with any even number a temporarily hung vote is a possibility.

0 Karma

Federica_92
Communicator

so do I need 3 instances or 3 search head and 1 deployer?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...