folks,
We have two sites and we host 8 Search Heads (4 per site) all clustered with 16 indexers. We need to have a non-clustered SearchHead(SH) for sandbox purposes connected to same indexers
My colleague is suggesting its better to have an odd + even setup in SH (ie. 3x + 4y + 1 standalone) as SH captain works on odd/even configuration better. But my view is to have (4x + 4y + 1 standalone) for consistency and maintainability purposes. (ps: company can sponsor 2 SH's extra, budget is not the real problem)
Any suggestions on above?
Take a look at this:
If you want my personal opinion: go for 3 + 4. You only have 2 sites so this would be my preference. If you had 3 sites I would go for 9 Search Heads because majority is 5 and therefore you can afford losing one site completely.
Also isn't the Indexer-Search Head ratio a bit low? 2 indexers per Search Head is not too much. Is there any reason you need so many Search Heads in your deployment?
See this:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/Referencehardware#Ratio_of_indexers_to_se...
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/Summaryofperformancerecommendations
EDIT: your idea about the extra search head is good too. You could also use it for testing purposes or even as a staging server should you decided to get Enterprise Security.
Take a look at this:
If you want my personal opinion: go for 3 + 4. You only have 2 sites so this would be my preference. If you had 3 sites I would go for 9 Search Heads because majority is 5 and therefore you can afford losing one site completely.
Also isn't the Indexer-Search Head ratio a bit low? 2 indexers per Search Head is not too much. Is there any reason you need so many Search Heads in your deployment?
See this:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/Referencehardware#Ratio_of_indexers_to_se...
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/Summaryofperformancerecommendations
EDIT: your idea about the extra search head is good too. You could also use it for testing purposes or even as a staging server should you decided to get Enterprise Security.
thanks for your input and links. voting up. (Will accept by end of this week, just wanted to see if any other opinion comes as well)
Another reason to go with 3+4 is that with 7 SH, the majority number is 4. With 8 SH, the majority number required will be 5, so you have to use 5 + 3 (+ 1 standalone) combination to allow primary site (with 5) to be available in case secondary site is down (and you loose your consistency point anyways).