Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need more details about SH clustering

thevikramyadav
Engager
‎07-14-2024 01:41 AM

I'm getting confused in SH clustering, can someone help me.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-14-2024 08:16 PM

Hi @thevikramyadav .. 

As you are aware, good questions will receive better answers! 

- are you confused about search factor, replication factor, etc

- are you confused about SHC maintenance, support tasks.. 

- are you confused about why SHC needed in first place?

- are you confused about SHC and distributed searching?.. 

- are you confused about licensing for SHC.. or something else.. 

 

Best Regards

Sekar

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2024 02:25 AM

https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC

Don't hesitate to ask specific questions you have after reading through the docs.

Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...