Deployment Architecture

Migrating to a distributed search architecture, is it required to change the distributed management console from standalone to distributed?

JabawokJayUK
Engager

We are migrating from 2 x split indexers (standalone) instances to 2 x split indexers and a dedicated search head / Deployment Server. There is no appetite for an indexer cluster and no possibility of a search head cluster due to OS incompatibility.

Q: Is it a requirement to migrate from standalone to distributed in this proposed configuration or am I better just having 3 standalone servers and managing config via the deployment server?

Both of the current standalone indexers are Windows 2012 while the new server that will be a search head and deployment server is CentOS. This rules out the possibility of a search head cluster across all three as that requires linux/Solaris on all three.

My thoughts are:

Linux Box as
- Deployment Server
- Licence Master
- KV Store
- Search Head

Win2012 1
- Indexer

Win2012 2
- Indexer

So my question is, would this likely work and are there any specific considerations or things to watch out for?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Hint for the future: If you're asking a question about the Distributed Management Console (DMC), mention its name or abbreviation at least once in the question or tags.

As for the actual question, you can in principle leave all three DMCs in standalone. You'll get to monitor each instance from that instance.
I'd recommend setting the SH's DMC to distributed so you can monitor your indexes from the SH, but it's not technically required.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Hint for the future: If you're asking a question about the Distributed Management Console (DMC), mention its name or abbreviation at least once in the question or tags.

As for the actual question, you can in principle leave all three DMCs in standalone. You'll get to monitor each instance from that instance.
I'd recommend setting the SH's DMC to distributed so you can monitor your indexes from the SH, but it's not technically required.

martin_mueller
SplunkTrust
SplunkTrust

It's for your own good, to get more accurate responses in the future 🙂 The term "distributed" alone could refer to billions of Splunk features.

Does this answer your question or is there more?

0 Karma

JabawokJayUK
Engager

Assuming there are no specific things to watch out for, yes your answer covers the question, although I would like to point out that the title of the question does actually state "distributed management console" as per your requirements.

0 Karma

ppablo
Retired

I edited the title and the tags for you to reflect the content of your post as a benefit for users here in the Splunk community, and this was after I saw the clarification by @martin_mueller. He was just suggesting a best practice to help users with sifting through a sea of questions at a glance, rather than people having to open several posts to figure out if one is relevant to their own issue. I'm glad you found an answer. Martin is one of the most knowledgeable users in this space, so please play nice 🙂

0 Karma

JabawokJayUK
Engager

A little harsh as I thought the question was clear enough but heh, you seem to at least have considered the original question in your response.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm confused. You propose a SH-on-two-indexers scenario, and ask if distributed search (I guess?) is a requirement... Yes it is, but that's too obvious so you're probably trying to ask something different.

0 Karma

JabawokJayUK
Engager

Yes, distributed search is an mandatory component so implied. The question was related to standalone vs DMC configuration for the 3 instances.

0 Karma

woodcock
Esteemed Legend

Did you really mean DMC here? Or are we talking about DS? "Distributed Management Console" is totally different than "Deployment Server".

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

DMC does have two modes, standalone and distributed...

0 Karma

woodcock
Esteemed Legend

Even though I generally despise Windows and absolutely hate it is a backend server OS (mandatory periodic reboots to ensure uptime), this actually is from REAL experience, not prejudice. Windows boxes as Indexers have been nothing but a headache to me. Almost every release has had a BIG bug (memory leaks, crashing, port problems, etc.) that has caused significant and repeated downtime. My *Nix Indexers on the other hand, have only had 1 such problem EVER. I would NEVER deploy Windows OS in my Splunk infrastructure if there was ANY WAY AT ALL to avoid it. Also, there is a serious (unresolvable) incompatibility problem when using a Windows DS to deploy executable files out to *nix Deployment Clients (problems with ownership/permissions depending on what user you use to run Splunk DC instance) which means that if you (ever will) have *Nix Deployment Clients, then you have to have a *Nix Deployment Server to make it work.

0 Karma

JabawokJayUK
Engager

Although I share your issues with windows, there is NO possibility to change within the current project time-frame and the decision to use windows was made before I joined the project.

The decision to use linux as the deployment server (mine) comes from the documented fact that a windows deployment server cannot accurately maintain permissions to unix clients, so if unix is a required deployment client a unix server should be used. I saw no references to your statement regarding windows to unix in any research into this point though and have maintained other instances with unix managing windows clients quite happily.

The original question stands.

0 Karma

woodcock
Esteemed Legend

No, I had it backwards; the caveat is as you mentioned, I will re-edit my answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...