Deployment Architecture

Search Head Clustering (Minimum Nodes Required)

jspvkey
Explorer

Hi,
I am planning to create a Search Head Cluster using two Search Heads. Is this possible? I read somewhere that you need at least 3 nodes to create a Search Head Cluster. Is this true?

Thanks

1 Solution

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

View solution in original post

bandit
Motivator

This may be worth a try. I'm looking into it myself. https://github.com/mhassan2/splunk-n-box
In my case, I have two 32 core/128GB ram servers. It would make more sense to me to be able to scale on these hosts prior to purchasing additional hardware to form a search cluster. With Docker, I believe I could easily run 3+ splunk instances on each host, allowing me also to solve the issue of port conflicts for a common replication port for search head clustering.

Rob

0 Karma

hitesh_kanchan
Explorer

You can create a Search Head Cluster using two Search Heads but if one of the Search heads goes down, then it will act as independent search head and the scheduled searches will not work. We have configured the Search Head Cluster using two Search Heads.

0 Karma

anandhim
Path Finder

hitesh_kanchan, can the scheduled searches be made to work by assigning the second node as the static captain?

0 Karma

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...