Deployment Architecture

Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Federica_92
Communicator

Hi everyone,

I would like try to build a search head cluster using only 2 search heads and the master as a deployer. Is this possible?

I saw on the online documentation that at least 3 search heads are required.

masonmorales
Influencer

If you virtualize your two search heads, then yes, it is possible. You need to be running at least three instances of Splunk for a search head cluster. You can use the master as a deployer as well, but it is best practice to keep the two separate.

0 Karma

damode
Motivator

Captain_election_process_has_deployment_implications

Based on the above link,

A cluster must consist of a minimum of
three members.

Is there any workaround to this ?

0 Karma

Federica_92
Communicator

How can I virtualize the 2 search heads?

0 Karma

Federica_92
Communicator

Just ubuntu:
DISTRIB_RELEASE=14.04
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"

0 Karma

masonmorales
Influencer

Take a look at VirtualBox. It's named virtualbox-ose in the repositories.

Please choose Accept Answer if my response helped with your question.

0 Karma

masonmorales
Influencer

What Operating System are they running?

0 Karma

dflodstrom
Builder

Search head clusters must have at least 3 members.

Required number of instances

The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

    Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
    The replication factor number of instances. See "Choose the replication factor for the search head cluster." 

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity. 

http://docs.splunk.com/Documentation/Splunk/6.2.5/DistSearch/SHCsystemrequirements

Are you planning on using an existing cluster master as the deployer? Do not think that would be an issue, the deployer is basically idle until you need to push a change.

grijhwani
Motivator

It's slightly more convoluted than that, because for the election process to be guaranteed to be successful you have to have a definite majority remaining - i.e more than 50% - after the failure. If you only have two in the cluster they can fail to elect, because there could be a hung vote. With three or more it is always possible to get an absolute majority, although with any even number a temporarily hung vote is a possibility.

0 Karma

Federica_92
Communicator

so do I need 3 instances or 3 search head and 1 deployer?

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...