Deployment Architecture
Highlighted

Rysnc Search Heads

Contributor

Hi Splunk,

We will be using rsync to keep our 2 enterprise search heads in sync. I found a Splunk wiki page on this topic but it is for an older version (3.3) of Splunk. We are using Splunk 6.4. Is there a newer wiki or another documented resource on what to keep in sync between the 2 search heads?

Thank you

Highlighted

Re: Rysnc Search Heads

Contributor

hello there,

we can't head SH clustering as we only have 2 search heads, and I read somewhere search head pooling was deprecated... I will check out your links.. thank you!

0 Karma
Highlighted

Re: Rysnc Search Heads

Esteemed Legend

As Splunk says:

This feature has been deprecated as of Splunk Enterprise version 6.2. This means that although it continues to function, it might be removed in a future version.

So deprecated does not mean unuseable.

0 Karma
Highlighted

Re: Rysnc Search Heads

Champion

Starting with 4.2, you can use search head pooling to share configurations and user data between search heads. So, the Search Head Pooling with LDAP authentication, you do not need to rsync the apps, users, and dispatch jobs among search heads, anymore.

Note: Search head pooling has been deprecated in Splunk Enterprise version 6.2.
Search Head Cluster takes care of this one.

0 Karma
Highlighted

Re: Rysnc Search Heads

SplunkTrust
SplunkTrust

For the love of Benji, don't do SHP.

0 Karma
Highlighted

Re: Rysnc Search Heads

Esteemed Legend

I must admit, I have not done so myself, but surely it is better than rolling one's own rsync, yes?

0 Karma
Highlighted

Re: Rysnc Search Heads

SplunkTrust
SplunkTrust

Barely. SHP has a lot of performance problems in most cases, as it is CIFS/NFS based. Rsync provides different levels of pain. From what I have seen in the past, attempting to sync search heads via rsync produces weirdness (at best). Best option here, unfortunately, is to get another search head. Splunk recommends that servers in SHC be similar, which makes sense, as SHC doesn't really have a concept of "weighting". However, perhaps a small VM that sees no end-user searches.

0 Karma
Highlighted

Re: Rysnc Search Heads

Esteemed Legend

OK, so just add the Deployment Server as the 3rd Search Head for Clustering but do not allow anybody to login to it. That should solve everything, right?

0 Karma
Highlighted

Re: Rysnc Search Heads

SplunkTrust
SplunkTrust

No, it still wouldn't be perfect. You still need a deployer, which would most likely be the DS. So another system would still be needed.

0 Karma