Deployment Architecture

Is it possible to build a search head cluster with only 2 search heads and the master as a deployer?

Communicator

Hi everyone,

I would like try to build a search head cluster using only 2 search heads and the master as a deployer. Is this possible?

I saw on the online documentation that at least 3 search heads are required.

Influencer

If you virtualize your two search heads, then yes, it is possible. You need to be running at least three instances of Splunk for a search head cluster. You can use the master as a deployer as well, but it is best practice to keep the two separate.

0 Karma

Builder

Captain_election_process_has_deployment_implications

Based on the above link,

A cluster must consist of a minimum of
three members.

Is there any workaround to this ?

0 Karma

Communicator

How can I virtualize the 2 search heads?

0 Karma

Communicator

Just ubuntu:
DISTRIB_RELEASE=14.04
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"

0 Karma

Influencer

Take a look at VirtualBox. It's named virtualbox-ose in the repositories.

Please choose Accept Answer if my response helped with your question.

0 Karma

Influencer

What Operating System are they running?

0 Karma

Builder

Search head clusters must have at least 3 members.

Required number of instances

The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

    Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
    The replication factor number of instances. See "Choose the replication factor for the search head cluster." 

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity. 

http://docs.splunk.com/Documentation/Splunk/6.2.5/DistSearch/SHCsystemrequirements

Are you planning on using an existing cluster master as the deployer? Do not think that would be an issue, the deployer is basically idle until you need to push a change.

Motivator

It's slightly more convoluted than that, because for the election process to be guaranteed to be successful you have to have a definite majority remaining - i.e more than 50% - after the failure. If you only have two in the cluster they can fail to elect, because there could be a hung vote. With three or more it is always possible to get an absolute majority, although with any even number a temporarily hung vote is a possibility.

0 Karma

Communicator

so do I need 3 instances or 3 search head and 1 deployer?

0 Karma