Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need more details about SH clustering

thevikramyadav
Engager
‎07-14-2024 01:41 AM

I'm getting confused in SH clustering, can someone help me.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-14-2024 08:16 PM

Hi @thevikramyadav .. 

As you are aware, good questions will receive better answers! 

- are you confused about search factor, replication factor, etc

- are you confused about SHC maintenance, support tasks.. 

- are you confused about why SHC needed in first place?

- are you confused about SHC and distributed searching?.. 

- are you confused about licensing for SHC.. or something else.. 

 

Best Regards

Sekar

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-14-2024 09:18 AM

Hi @thevikramyadav 

In addtion to @PickleRick answer , below is the basic understandinf of  SH cluster 

SanjayReddy_0-1720973538202.png

Search head cluster need minimum of 3 search heads and max 100  

Group of search heads where apps, search, artifacts and jobs scheduling are same
 
  • Group of search heads
  • replicates knowledge objects
  • replicates search artifacts
  • increases search accessibility
 
Advantages
      • Horizontal scaling
      • High availability
      • No single point of failure

- Deployer

  • Centralized location to distribute apps and other configurations to search head cluster members
  • Not participate in searches


- Captain


- Its a cluster member with additional responsibilities
- responsible include


- Scheduling jobs/searches
- Coordinating alerts and alerts suppression across the cluster
- Pushes the knowledge bundle to search peers(indexers)
- Coordinating artifacts replication
- Replicating configuration updates


- Cluster members

- Same as search head in single instance
- Participate in searches

- Load balancer (optional)


- 3rd party software
- Resides between users and cluster members


- Replication factor


- Determines the number of copies of each artifact/search result
- Only artifact/search result from scheduled saves searches are replicated
- Results from ad hoc searches or real time searches are not replicated
- by default, schedules saves searches results are stored in
- $SPLUNK_HOME/var/run/splunk/dispatch/search/


- Search peers
         - These Indexers where data is searched

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2024 02:25 AM

https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC

Don't hesitate to ask specific questions you have after reading through the docs.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...