Deployment Architecture

Is there an alternative to having three members in a search head cluster?

Builder

I have deployed the Splunk Search Head Cluster with two Search Head members and a Deployer.

I read here Captain election process has deployment implications
that a cluster must consist of a minimum of three members to participate in dynamic captain election process.

If I don't have the option to add a third one. and a cluster cannot function without a captain, can I use the "static captain" option to overcome the problem? Or are there any better alternatives or workarounds for this issue ?

0 Karma

SplunkTrust
SplunkTrust

I believe you can build a SHC with just 2 members. At least I know you could when SHC first came out.

Yes you could make one of those two static/permanent captain. However, if the captain goes down... the SHC will no longer execute scheduled searches.

So it can be done but then that defeats the purpose of SHC. SHC is to give High Availability to the splunk web itself yes... but the most common use case is “High Availablility” for your searches. Aka, scheduled searches always have a search head to run on.

If you don’t need HA, then I would argue that you don’t need SHC. And if you need HA, then you need 4 (YES FOUR) search heads in a cluster. You need 4 not 3 so that IF a captain goes down, there’s stil an odd number of search heads to complete a raft election.

0 Karma

Builder

Thanks. If I choose to add a third member, whats the lowest spec I can add to it to make it part of the cluster and participate in the dynamic captain election process ?

Will 2GB ram and 2 vCPU be enough for it ?

0 Karma