Deployment Architecture

Key differences between clustered and non-clustered deployments

pil321
Communicator

We are currently looking at going to a clustered deployment and I was going though the documentation.

One of the key differences I can see is so far is how you manage the deployment. Instead of using a deployment server for your indexer peers, you use a configuration bundle. It also says you can use deployment server to distribute updates to cluster search heads. What is not clear (and not mentioned in the documetation as far as I can tell) is wheether or not you can use the deployment server to manage the rest of your deployment.

Is it possible to still use a deployment server to manage all other hosts?

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

You can use the deployment server to manage forwarders in any deployment, clustered or not.

In the case of indexer clustering, you must use the cluster master to distribute updates to the indexers. You can use the deployment server to update the search heads in an indexer cluster (but only if they are not also members of a search head cluster).

In the case of search head clustering, you must use the deployer (not deployment server) to update the search head cluster members.

0 Karma

pil321
Communicator

6) When you convert an indexer to a cluster peer, disk usage will go up significantly. Make sure that you have sufficient disk space available, relative to daily indexing volume, search factor, and replication factor. For detailed information on peer disk usage.
7) Cluster nodes cannot share Splunk Enterprise instances. The master node, peer nodes, and search head must each run on its own instance.

Also , I will suggest you to refer folliong links
i) “Migrating from a non-clustered Splunk Enterprise deployment?” at link http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Aboutclusters
ii) http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Upgradeacluster
iii) Here is good information on Cluster to Bucket: -----http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Bucketsandclusters

0 Karma

pil321
Communicator

Thanks Steve G.

In case anyone out there is interested, I posed the same question to Splunk support and this was their answer:

If you are planning to move from Non Cluster environment to cluster environment , here are some of the key points to watch out for when enabling Cluster Replication from indexer
1) Also, it is required that in clustered environment all the splunk instance like Cluster Master, Clustered indexer and Clustered Search head need to be on exact same Splunk Version.
2) In clusrted environment one of the requirement is to keep all the conf files in synch ( example indexes.conf,inputs.conf etc ) . As a result to deploy the Application and config files to indexer you will need to use Cluster Master “Deploy Bundle”
3) Also, you are correct Deployment Server cannot be used to deploy Application to the Clustered indexer and Cluster Master. For other splunk instance like Search Head and Universal Forwarder you can still continue to use Deployment Server.
4) For clustered environment you will need Cluster Master, Cluster Peer and Search Head that is enabled from clustering.
5) Although not required you should enable indexer acknowledgment for the forwarders sending data to the peer. Refer: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Useforwarderstogetyourdata#How_indexer_ack...

0 Karma

thomrs
Communicator

We have our search heads in a distrubuted search config now and are looking to move to SH clustering. With SH cluster you no longer need a shared bundle for the SH to share status. with SH clustering the SHs talk to each other to share info - a huge advantage if you ask me. Our plan is to split off out Delivery Server into a stand alone boxes, one for each department. They can then controller their UF w/o any affect on the core splunk install.

We have a dozen indexers that will remain unclustered. We manage he indexers via. the Delivery Server.

There is now a Splunk 6 Cluster Administration class. We're not making the move to clustering until we take this class and get formal training.

http://www.splunk.com/view/SP-CAAANG2

Hope this helps.

0 Karma

pil321
Communicator

Thanks for the input thomrs.

0 Karma

pil321
Communicator

Looks like my link above didn't work. Here it is again: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Keydifferences

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...