Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search Head on Splunk Cloud

cpraz_ord
Explorer
‎08-03-2016 07:44 PM

Hi...I believe Splunk Cloud has 3 indexers, what about Search Heads? If there multiple Search Heads, does the ES app get propagated across SH clusters & Index clusters?

Tags (1)
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎08-05-2016 01:51 PM

A base build is 1-3 (being one search head and 3x indexers). Of course, each build is sized to a customer's initial target ingest rate, data retention, etc.

If a customer is large enough (enough concurrent users) a search head might initially be deployed. Otherwise they are single search heads.

You are correct, if there is a premium app purchased (such as ES or ITSI) that warrants it's own search head, then a second (or more) search head will be deployed. Typically a base search head is at a canonical name https://.splunkcloud.com where the additional ES search head would reside at https://es-.splunkcloud.com.

Again, that being said, if the size of the customer, concurrent users, search load, etc. - then a search head cluster might be deployed (for the ad-hoc searching purposes or independently for ES).

As for propagation across search heads and indexers, it depends on the app. If the app requires indexing time props/transforms then there will be configuration pieces on the indexers. If the app only has search time props/transforms then it may only reside on the search head (or search heads if in a search head cluster).

Reply

KKuser
Path Finder
‎02-21-2025 06:29 AM

I see an architecture online for Splunk Cloud. The Splunk Cloud has Search Tier[Search Head(core), Search Head(Enterprise Security)], Indexing Tier(I see 3 indexers picture), Management Tier[Cluster Manager].

Is this a valid Splunk Cloud architecture? If at all there is a search head cluster, will it be mentioned here in the architecture diagram? I'm trying to figure out if there are multiple instances of Splunk Cloud, can I know if knowledge objects present in 1 instance can be seen in other instance as well.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-21-2025 06:58 AM

Hi @KKuser ,

at first, don't attach a new question to a so old one (nine years ago!) even if on the same topic because it's difficoult to have an answer, it's always better to create a new question.

Anyway, if you need information about a validated Splunk architecture for an on premise or hybrid installation  see at https://docs.splunk.com/Documentation/SVA/current/Architectures/About

Anyway, in Splunk Cloud you only see two machines: one Search Head for ES and one Search Head for the other apps.

You don't know if there's a Search Head Cluster, probably not also because you see only two machines and SH Cluster need three machines.

In addition you can upload apps and this operation isn't possible on SH Clusters.

In addition, the Indexer layer ss not visible for you even if you see three Indexers and you cannot see the Cluster Manager. 

Surely there are many instance of Splunk Cloud in different AWS machines.

For more information see at https://docs.splunk.com/Documentation/SVA/current/Architectures/SCPExperience

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top