I'm often facing the question in which way Splunk Instances with different Roles can be combined - especially in huge and complex landscapes like with Index- and Searchhead-Clusters. Means for example can a deployer be the same Splunk-Instance as the Cluster-Master? Can the Deployment-Server also be the License Server? and so on ...
I tried to put this in a simple scheme, allowing to give a quick answer.
My approach can be seen within the attached picture:
Sources for these results are some simple tests, experience and the following sources:
The yellow field is based on the fact the sources 1. and 2. conflict with source 3.
How are your experiences regarding these combinations? Could you false or proof my experience?
To be honest when started developing the above Matrix I realized it wasn't that trivial as I initially thought, but maybe we can build a reliable version of this together. I assume this could be helpful for some of the "Splunkers in the wild" 🙂
1 and 2 are not really conflicting with 3. The reason people recommend to host deployment server on a separate machine is because performance (as 2 described). So technically you can host deployment server, cluster master and deployer all together, but you would need a powerful machine.
Not sure why there's a red field, you should be able to host deployment server and deployer together.
thanks for the hint. I should have mentioned I want to exclude the performance thoughts on this list. If we look on performance I assume recommendation is to have each role on a separate instance.
Regarding the red one, I maybe have misinterpreted a documentation or answer. This red field maybe appeared base on the fact you shouldn't use deployment-server with Searchhead-Cluster peers ... I'll proof this again.
To clarify a bit more, deployer is not a search head cluster member, it is a separate instance which talks to all the search head cluster members.
I just wanted to update this topic with at least one sentence which should give the answer to my above question:
It' all about performance!
From technical side - based on my experience - each of the mentioned Splunk Roles can be assigned to the same instance, as long as you don't care on performance. This results in the following picture:
Any concerns? Feedback? Corrections?
Hi, just in case someone finds this old thread and want to utilize.
The "all green" picture covers technical perspective of working platform - so yeah you can combine the roles as you want, but there are "suggestions" by splunk not to do so and even one more aspect which I do not see covered anywhere - and that is updating.
There is often very specific sequence of updating instances required to follow in order to successfully update distributed environments without service interuption and that is where you can found roadblock if you combine it badly.