Search Head on Splunk Cloud

cpraz_ord · ‎08-03-2016

Hi...I believe Splunk Cloud has 3 indexers, what about Search Heads? If there multiple Search Heads, does the ES app get propagated across SH clusters & Index clusters?

pgreer_splunk · ‎08-05-2016

A base build is 1-3 (being one search head and 3x indexers). Of course, each build is sized to a customer's initial target ingest rate, data retention, etc.

If a customer is large enough (enough concurrent users) a search head might initially be deployed. Otherwise they are single search heads.

You are correct, if there is a premium app purchased (such as ES or ITSI) that warrants it's own search head, then a second (or more) search head will be deployed. Typically a base search head is at a canonical name https://.splunkcloud.com where the additional ES search head would reside at https://es-.splunkcloud.com.

Again, that being said, if the size of the customer, concurrent users, search load, etc. - then a search head cluster might be deployed (for the ad-hoc searching purposes or independently for ES).

As for propagation across search heads and indexers, it depends on the app. If the app requires indexing time props/transforms then there will be configuration pieces on the indexers. If the app only has search time props/transforms then it may only reside on the search head (or search heads if in a search head cluster).

somesoni2 · ‎08-03-2016

Take a look at these posts

https://answers.splunk.com/answers/331435/search-head-clustering-enterprise-security-and-pci.html
https://answers.splunk.com/answers/231809/how-to-deploy-the-splunk-app-for-enterprise-securi.html

Search Head on Splunk Cloud

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?