Hi @thevikramyadav
In addtion to @PickleRick answer , below is the basic understandinf of SH cluster
Search head cluster need minimum of 3 search heads and max 100
- Group of search heads
- replicates knowledge objects
- replicates search artifacts
- increases search accessibility
- Horizontal scaling
- High availability
- No single point of failure
- Deployer
- Centralized location to distribute apps and other configurations to search head cluster members
- Not participate in searches
- Captain
- Its a cluster member with additional responsibilities
- responsible include
- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates
- Cluster members
- Same as search head in single instance
- Participate in searches
- Load balancer (optional)
- 3rd party software
- Resides between users and cluster members
- Replication factor
- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/
- Search peers
- These Indexers where data is searched
Hi @thevikramyadav
In addtion to @PickleRick answer , below is the basic understandinf of SH cluster
Search head cluster need minimum of 3 search heads and max 100
- Group of search heads
- replicates knowledge objects
- replicates search artifacts
- increases search accessibility
- Horizontal scaling
- High availability
- No single point of failure
- Deployer
- Centralized location to distribute apps and other configurations to search head cluster members
- Not participate in searches
- Captain
- Its a cluster member with additional responsibilities
- responsible include
- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates
- Cluster members
- Same as search head in single instance
- Participate in searches
- Load balancer (optional)
- 3rd party software
- Resides between users and cluster members
- Replication factor
- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/
- Search peers
- These Indexers where data is searched
