Deployment Architecture

Search Head Clustering (Minimum Nodes Required)

jspvkey
Explorer

Hi,
I am planning to create a Search Head Cluster using two Search Heads. Is this possible? I read somewhere that you need at least 3 nodes to create a Search Head Cluster. Is this true?

Thanks

1 Solution

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

View solution in original post

bandit
Motivator

This may be worth a try. I'm looking into it myself. https://github.com/mhassan2/splunk-n-box
In my case, I have two 32 core/128GB ram servers. It would make more sense to me to be able to scale on these hosts prior to purchasing additional hardware to form a search cluster. With Docker, I believe I could easily run 3+ splunk instances on each host, allowing me also to solve the issue of port conflicts for a common replication port for search head clustering.

Rob

0 Karma

hitesh_kanchan
Explorer

You can create a Search Head Cluster using two Search Heads but if one of the Search heads goes down, then it will act as independent search head and the scheduled searches will not work. We have configured the Search Head Cluster using two Search Heads.

0 Karma

anandhim
Path Finder

hitesh_kanchan, can the scheduled searches be made to work by assigning the second node as the static captain?

0 Karma

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...