Deployment Architecture
Highlighted

Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Communicator

Hi everyone,

I would like try to build a search head cluster using only 2 search heads and the master as a deployer. Is this possible?

I saw on the online documentation that at least 3 search heads are required.

Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Builder

Search head clusters must have at least 3 members.

Required number of instances

The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

    Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
    The replication factor number of instances. See "Choose the replication factor for the search head cluster." 

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity. 

http://docs.splunk.com/Documentation/Splunk/6.2.5/DistSearch/SHCsystemrequirements

Are you planning on using an existing cluster master as the deployer? Do not think that would be an issue, the deployer is basically idle until you need to push a change.

Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Motivator

It's slightly more convoluted than that, because for the election process to be guaranteed to be successful you have to have a definite majority remaining - i.e more than 50% - after the failure. If you only have two in the cluster they can fail to elect, because there could be a hung vote. With three or more it is always possible to get an absolute majority, although with any even number a temporarily hung vote is a possibility.

0 Karma
Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Communicator

so do I need 3 instances or 3 search head and 1 deployer?

0 Karma
Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Influencer

If you virtualize your two search heads, then yes, it is possible. You need to be running at least three instances of Splunk for a search head cluster. You can use the master as a deployer as well, but it is best practice to keep the two separate.

0 Karma
Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Communicator

How can I virtualize the 2 search heads?

0 Karma
Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Influencer

What Operating System are they running?

0 Karma
Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Communicator

Just ubuntu:
DISTRIBRELEASE=14.04
DISTRIB
DESCRIPTION="Ubuntu 14.04.3 LTS"

0 Karma
Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Influencer

Take a look at VirtualBox. It's named virtualbox-ose in the repositories.

Please choose Accept Answer if my response helped with your question.

0 Karma
Highlighted

Re: Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Builder

Captainelectionprocesshasdeployment_implications

Based on the above link,

A cluster must consist of a minimum of
three members.

Is there any workaround to this ?

0 Karma