Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search Head Cluster - Hardware considerations

leefernan
Explorer
‎09-24-2020 11:54 AM

Hello Everyone,

I have an environment which has an index cluster and three search heads that are currently looking for data in this cluster. 

I want to create a SH cluster with this three search heads, but the hardware specifications between  them are different:

-SH1 40 Cores 128GB Ram, (Chosen as captain)

-SH2 24 Cores 64GB Ram, (Member)

-SH3 24 Cores 64GB Ram, (Member)

The Splunk documentation specifies that "Use identical specifications for all members (bare metal or VM)" 

What would be the impact or implications to deploy a search cluster with this servers different  in Hardware Specifications? 

The captain will use only just 24 cores and  64gb ram as the other cluster members? 

Or the captain will assume every server has the same hardware capabilities as him?  As the following text suggest: 


"Splunk recommends that you use homogeneous machines with identical hardware specifications for all cluster members. The reason is that the  cluster captain assigns scheduled jobs to members based on their current job loads. When it does this, it does not have insight into the actual processing power of each member's machine. Instead, it assumes that each machine is provisioned equally."

I will appreciate your knowledge, thoughts and recommendations. 

Thanks in advance. 

 

Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2020 12:17 PM

The SHC captain assumes all nodes are the same as itself.  That means it could give each member 46 searches (# CPUs + 6) when they can support only 30.  Search performance likely will suffer.

BTW, the cluster typically chooses its own captain, which means SH2 or SH3 could become captain and assume SH1 only supports 30 searches.  It that case, some resources are wasted.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2020 12:17 PM

The SHC captain assumes all nodes are the same as itself.  That means it could give each member 46 searches (# CPUs + 6) when they can support only 30.  Search performance likely will suffer.

BTW, the cluster typically chooses its own captain, which means SH2 or SH3 could become captain and assume SH1 only supports 30 searches.  It that case, some resources are wasted.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

leefernan
Explorer
‎09-24-2020 02:56 PM

 I suspected that. It's nice to have a confirmation. Thanks a lot!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...