Deployment Architecture

Search Head Clustering (Minimum Nodes Required)

jspvkey
Explorer

Hi,
I am planning to create a Search Head Cluster using two Search Heads. Is this possible? I read somewhere that you need at least 3 nodes to create a Search Head Cluster. Is this true?

Thanks

1 Solution

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

View solution in original post

bandit
Motivator

This may be worth a try. I'm looking into it myself. https://github.com/mhassan2/splunk-n-box
In my case, I have two 32 core/128GB ram servers. It would make more sense to me to be able to scale on these hosts prior to purchasing additional hardware to form a search cluster. With Docker, I believe I could easily run 3+ splunk instances on each host, allowing me also to solve the issue of port conflicts for a common replication port for search head clustering.

Rob

0 Karma

hitesh_kanchan
Explorer

You can create a Search Head Cluster using two Search Heads but if one of the Search heads goes down, then it will act as independent search head and the scheduled searches will not work. We have configured the Search Head Cluster using two Search Heads.

0 Karma

anandhim
Path Finder

hitesh_kanchan, can the scheduled searches be made to work by assigning the second node as the static captain?

0 Karma

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...