Deployment Architecture

Search Head Pooling Replicate Bundle

ephemeric
Contributor

Greetz,

Must one use mounted bundles with search head pooling?

I would like to enable search head pooling with minimal effort to start testing in a production environment.

So, can we use 4.2.3 with asynchronous bundle replication with search head pooling and "upgrade" to mounted bundles at a later stage?

Thanks.

1 Solution

ewoo
Splunk Employee
Splunk Employee

You do not need to use mounted bundles with search head pooling. You can rely on bundle replication to copy configurations from your search heads to your indexers.

You can upgrade to mounted bundles at a later stage.

View solution in original post

ewoo
Splunk Employee
Splunk Employee

You do not need to use mounted bundles with search head pooling. You can rely on bundle replication to copy configurations from your search heads to your indexers.

You can upgrade to mounted bundles at a later stage.

ewoo
Splunk Employee
Splunk Employee

Whether or not your see bundles per-search-head or per-pool depends on the version of Splunk on your search heads. In 4.3.x and earlier, each search head replicates its own bundles by default. In 5.0 and higher, search heads send bundles on a per-pool basis -- see the "useSHPBundleReplication" setting in distsearch.conf.

In other words, the default behavior before 5.0 is to replicate bundles by serverName. In 5.0 and later, the default behavior is to replicate by search head pool GUID.

0 Karma

rtadams89
Contributor

I don't think this is correct. The pool should only send one bundle. If you look on your indexer, you'll see the bundles identified by the search pool GUID instead of the server names of the individual search heads in the pool.

0 Karma

ewoo
Splunk Employee
Splunk Employee

Correct -- with 2 heads in a pool and no mounted bundles, each search head sends a copy of the bundles.

dhaffner
Path Finder

Does this mean that, for example, with 2 search heads in a pool, and no mounted bundles, each search head will send it's own bundle? Or will there be only one bundle that gets sent out to the peers?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...