Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Master and Search Head together?

michael_lee
Path Finder
‎01-15-2016 10:01 PM

Is it possible to configure Master and Search head together in one spunk instance? If it is, what should I take note of?
thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎01-16-2016 01:09 AM

As per splunk documentation,

A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer.

Additional roles for the master node

As a general rule, you should dedicate the Splunk Enterprise instance running the master node to that single purpose. Under limited circumstances, however, the master instance can also fulfill certain other lightweight functions:

You can use the master's built-in search head for debugging purposes.
You might be able to run a search head cluster deployer on the master, depending on the master's load.
You might be able to run a distributed management console on the master instance, depending on the master's load.

To run a deployer or a distributed management console on the master, the master's cluster should stay below the following limits:

30 indexers
100,000 buckets
10 indexes
10 search heads

Reference : http://docs.splunk.com/Documentation/Splunk/6.3.2/Indexer/Enablethemasternode

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎01-16-2016 01:09 AM

As per splunk documentation,

A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer.

Additional roles for the master node

As a general rule, you should dedicate the Splunk Enterprise instance running the master node to that single purpose. Under limited circumstances, however, the master instance can also fulfill certain other lightweight functions:

You can use the master's built-in search head for debugging purposes.
You might be able to run a search head cluster deployer on the master, depending on the master's load.
You might be able to run a distributed management console on the master instance, depending on the master's load.

To run a deployer or a distributed management console on the master, the master's cluster should stay below the following limits:

30 indexers
100,000 buckets
10 indexes
10 search heads

Reference : http://docs.splunk.com/Documentation/Splunk/6.3.2/Indexer/Enablethemasternode

Happy Splunking!
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...