Deployment Architecture

Is it possible to create a search head cluster where search heads have different hardware specs?

dsmc_adv
Path Finder

We are upgrading from Splunk 6.1 to 6.3, but the problem we are facing is that now is we are supporting a search head pool with 2 physical servers and 1 virtual with lower hardware. Since each server has its own config, it's not a big deal. We have the virtual out of the balancer and only use it through the API for some apps. With 6.3, if you want a cluster, the minimum number of nodes is 3, but I have read from the docs:

"Splunk recommends that you use homogeneous machines with identical hardware specifications for all cluster members. The reason is because the cluster captain assigns scheduled jobs to members based on their current job loads. When it does this, it does not have insight into the actual processing power of each member's machine. Instead, it assumes that each machine is provisioned equally."

Is there no way to create a search head cluster where a server has less weight than the others? Is only the scheduled jobs the main problem?

0 Karma
1 Solution

somesoni2
Revered Legend

You should be able to get away with hon-homogeneous hardware setup, but would be better if you consider upgrading the hardware of your virtual node to match the 2 physical. To get around with load based scheduled jobs, you can change the scheduling mechanism from load based to round robin, bu setting following property in server.conf on SH cluster.

[shclustering]
scheduling_heuristic = <string>
* This setting configures the job distribution heuristic on the captain.
* There are currently two supported strategies: 'round_robin' or
  'scheduler_load_based'.
* Default is 'scheduler_load_based'.

Or you can set the virtual node to not to run scheduled searches by setting following property on server.conf on that node.

[shclustering]
adhoc_searchhead = <bool>
* This setting configures a member as an adhoc searchhead; i.e., the member
  will not run any scheduled jobs.
* Use the setting captain_is_adhoc_searchhead to reduce compute load on the
  captain.
* Defaults to false.

View solution in original post

0 Karma

somesoni2
Revered Legend

You should be able to get away with hon-homogeneous hardware setup, but would be better if you consider upgrading the hardware of your virtual node to match the 2 physical. To get around with load based scheduled jobs, you can change the scheduling mechanism from load based to round robin, bu setting following property in server.conf on SH cluster.

[shclustering]
scheduling_heuristic = <string>
* This setting configures the job distribution heuristic on the captain.
* There are currently two supported strategies: 'round_robin' or
  'scheduler_load_based'.
* Default is 'scheduler_load_based'.

Or you can set the virtual node to not to run scheduled searches by setting following property on server.conf on that node.

[shclustering]
adhoc_searchhead = <bool>
* This setting configures a member as an adhoc searchhead; i.e., the member
  will not run any scheduled jobs.
* Use the setting captain_is_adhoc_searchhead to reduce compute load on the
  captain.
* Defaults to false.
0 Karma

dsmc_adv
Path Finder

Adding more hardware is not an option at this moment. We are talking about servers with 32 cpu and 128gb of ram.

The other option was running with a deprecated search pool in 6.3. I will take a look of these parameters.

Thank you

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...