Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need more details about SH clustering

thevikramyadav
Engager
‎07-14-2024 01:41 AM

I'm getting confused in SH clustering, can someone help me.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-14-2024 08:16 PM

Hi @thevikramyadav .. 

As you are aware, good questions will receive better answers! 

- are you confused about search factor, replication factor, etc

- are you confused about SHC maintenance, support tasks.. 

- are you confused about why SHC needed in first place?

- are you confused about SHC and distributed searching?.. 

- are you confused about licensing for SHC.. or something else.. 

 

Best Regards

Sekar

 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2024 02:25 AM

https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC

Don't hesitate to ask specific questions you have after reading through the docs.

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top