Deployment Architecture

Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Federica_92
Communicator

Hi everyone,

I would like try to build a search head cluster using only 2 search heads and the master as a deployer. Is this possible?

I saw on the online documentation that at least 3 search heads are required.

masonmorales
Influencer

If you virtualize your two search heads, then yes, it is possible. You need to be running at least three instances of Splunk for a search head cluster. You can use the master as a deployer as well, but it is best practice to keep the two separate.

0 Karma

damode
Motivator

Captain_election_process_has_deployment_implications

Based on the above link,

A cluster must consist of a minimum of
three members.

Is there any workaround to this ?

0 Karma

Federica_92
Communicator

How can I virtualize the 2 search heads?

0 Karma

Federica_92
Communicator

Just ubuntu:
DISTRIB_RELEASE=14.04
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"

0 Karma

masonmorales
Influencer

Take a look at VirtualBox. It's named virtualbox-ose in the repositories.

Please choose Accept Answer if my response helped with your question.

0 Karma

masonmorales
Influencer

What Operating System are they running?

0 Karma

dflodstrom
Builder

Search head clusters must have at least 3 members.

Required number of instances

The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

    Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
    The replication factor number of instances. See "Choose the replication factor for the search head cluster." 

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity. 

http://docs.splunk.com/Documentation/Splunk/6.2.5/DistSearch/SHCsystemrequirements

Are you planning on using an existing cluster master as the deployer? Do not think that would be an issue, the deployer is basically idle until you need to push a change.

grijhwani
Motivator

It's slightly more convoluted than that, because for the election process to be guaranteed to be successful you have to have a definite majority remaining - i.e more than 50% - after the failure. If you only have two in the cluster they can fail to elect, because there could be a hung vote. With three or more it is always possible to get an absolute majority, although with any even number a temporarily hung vote is a possibility.

0 Karma

Federica_92
Communicator

so do I need 3 instances or 3 search head and 1 deployer?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...