Deployment Architecture

Search Head Clustering (Minimum Nodes Required)

jspvkey
Explorer

Hi,
I am planning to create a Search Head Cluster using two Search Heads. Is this possible? I read somewhere that you need at least 3 nodes to create a Search Head Cluster. Is this true?

Thanks

1 Solution

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

View solution in original post

bandit
Motivator

This may be worth a try. I'm looking into it myself. https://github.com/mhassan2/splunk-n-box
In my case, I have two 32 core/128GB ram servers. It would make more sense to me to be able to scale on these hosts prior to purchasing additional hardware to form a search cluster. With Docker, I believe I could easily run 3+ splunk instances on each host, allowing me also to solve the issue of port conflicts for a common replication port for search head clustering.

Rob

0 Karma

hitesh_kanchan
Explorer

You can create a Search Head Cluster using two Search Heads but if one of the Search heads goes down, then it will act as independent search head and the scheduled searches will not work. We have configured the Search Head Cluster using two Search Heads.

0 Karma

anandhim
Path Finder

hitesh_kanchan, can the scheduled searches be made to work by assigning the second node as the static captain?

0 Karma

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...