Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need more details about SH clustering

thevikramyadav
Engager
‎07-14-2024 01:41 AM

I'm getting confused in SH clustering, can someone help me.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-14-2024 08:16 PM

Hi @thevikramyadav .. 

As you are aware, good questions will receive better answers! 

- are you confused about search factor, replication factor, etc

- are you confused about SHC maintenance, support tasks.. 

- are you confused about why SHC needed in first place?

- are you confused about SHC and distributed searching?.. 

- are you confused about licensing for SHC.. or something else.. 

 

Best Regards

Sekar

 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2024 02:25 AM

https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC

Don't hesitate to ask specific questions you have after reading through the docs.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...