Deployment Architecture

Monitoring Console in Distributed search topology

chintan_shah
Path Finder

I have one instance which run as Search Head and other instance as Indexer. I wanted to know where should i setup Monitoring Console so that i can monitor the performance of search peers? If i try to setup distributed mode on my search head, its give me warning "Do not configure the DMC in distributed mode if this is a production search head. Doing so can change the behavior of all searches on this instance. This is dangerous and unsupported.
If you want to configure the DMC in distributed mode, you must locate the DMC on an instance that is not a production search head."

0 Karma

harsmarvania57
Ultra Champion

Hi @chintan_shah,

Based on http://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/WheretohostDMC, you require dedicated search head to run Monitoring Console, do not configure Monitoring Console on production search head.

I hope this helps.

Thanks,
Harshil

0 Karma

skirven
Communicator

Hi! I have a follow on question to this. Looking at the current 7.3.1 documentation at https://docs.splunk.com/Documentation/Splunk/7.3.1/DMC/Addinstancesassearchpeers, we have:
1) A Cluster Master
2) A License Master (Small install)
3) 36 Indexers
4) 16 Search Heads

I want to run the DMC on a totally separate installation. Looking at this statement, it gives me pause. "If you are monitoring an indexer cluster and you are hosting the monitoring console on an instance other than the cluster master, you must add the cluster master as a search peer and you must configure the monitoring console instance as a search-head in that cluster"

Is this stating that I need to configure the DMC server as a SH inside the existing SH Cluster? Does this also mean it gets the same bundle replication from the Master Node? I don't want any production dependencies on the server. I don't mind treating it like Production, but I don't want any actual production searches, etc to be running on it?

I know there's the switch you flip on the DMC to put it in Distributed, and perhaps it's just a situation where it's running in this "Production" state until that switch is flipped?
Thanks!
Stephen

0 Karma

harsmarvania57
Ultra Champion

No, you do not need to add that DMC SH in SH Cluster, that will be standalone SH & dedicated for DMC.

When you point standalone SH to cluster master, it will automatically populates all Indexers from cluster master so you do not need to add Clustered Indexers in DMC as search peers.

I didn't get your last question.

PS: It will be good to open new question and refer this question in your question.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...