We are migrating from 2 x split indexers (standalone) instances to 2 x split indexers and a dedicated search head / Deployment Server. There is no appetite for an indexer cluster and no possibility of a search head cluster due to OS incompatibility.
Q: Is it a requirement to migrate from standalone to distributed in this proposed configuration or am I better just having 3 standalone servers and managing config via the deployment server?
Both of the current standalone indexers are Windows 2012 while the new server that will be a search head and deployment server is CentOS. This rules out the possibility of a search head cluster across all three as that requires linux/Solaris on all three.
My thoughts are:
Linux Box as
- Deployment Server
- Licence Master
- KV Store
- Search Head
So my question is, would this likely work and are there any specific considerations or things to watch out for?
Even though I generally despise Windows and absolutely hate it is a backend server OS (mandatory periodic reboots to ensure uptime), this actually is from REAL experience, not prejudice. Windows boxes as Indexers have been nothing but a headache to me. Almost every release has had a BIG bug (memory leaks, crashing, port problems, etc.) that has caused significant and repeated downtime. My *Nix Indexers on the other hand, have only had 1 such problem EVER. I would NEVER deploy Windows OS in my Splunk infrastructure if there was ANY WAY AT ALL to avoid it. Also, there is a serious (unresolvable) incompatibility problem when using a Windows DS to deploy executable files out to *nix Deployment Clients (problems with ownership/permissions depending on what user you use to run Splunk DC instance) which means that if you (ever will) have *Nix Deployment Clients, then you have to have a *Nix Deployment Server to make it work.
Although I share your issues with windows, there is NO possibility to change within the current project time-frame and the decision to use windows was made before I joined the project.
The decision to use linux as the deployment server (mine) comes from the documented fact that a windows deployment server cannot accurately maintain permissions to unix clients, so if unix is a required deployment client a unix server should be used. I saw no references to your statement regarding windows to unix in any research into this point though and have maintained other instances with unix managing windows clients quite happily.
The original question stands.
No, I had it backwards; the caveat is as you mentioned, I will re-edit my answer.
I'm confused. You propose a SH-on-two-indexers scenario, and ask if distributed search (I guess?) is a requirement... Yes it is, but that's too obvious so you're probably trying to ask something different.
Yes, distributed search is an mandatory component so implied. The question was related to standalone vs DMC configuration for the 3 instances.
Did you really mean
DMC here? Or are we talking about
DS? "Distributed Management Console" is totally different than "Deployment Server".
DMC does have two modes, standalone and distributed...
Hint for the future: If you're asking a question about the Distributed Management Console (DMC), mention its name or abbreviation at least once in the question or tags.
As for the actual question, you can in principle leave all three DMCs in standalone. You'll get to monitor each instance from that instance.
I'd recommend setting the SH's DMC to distributed so you can monitor your indexes from the SH, but it's not technically required.
A little harsh as I thought the question was clear enough but heh, you seem to at least have considered the original question in your response.