Deployment Architecture

Search head and Search Head Cluster to indexer server.

dustymehul
Explorer

We have a single Search Head Node which works over a Indexer Cluster.
All Configurations like users, roles, Dashboards etc are present on this Node.

We are now looking to create a Search Head cluster over the Indexer Cluster.
Mean while we set up the Search Head cluster, i want to keep the first node up and running as it is under use.

Question 1 - Is it possible to have an "individual node" and a "Search Head Cluster" running over an Indexer Cluster together?

Once Search Head Cluster is completely up, we plan to add the first remaining node as well in the cluster.

Question 2 - How to replicate all the existing configurations from this Node to Search Head Cluster. My understanding is that when we add a SH Node to SH Cluster, all the existing Configurations will be lost from the SH Node. And SH captain will push the cluster configuration to the newly added node. How to retain/replicate them to all servers of SH Cluster before adding the node?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Answer 1 - Yes.

Answer 2 - If the individual node is not part of the SHC then the deployer will not touch it (it won't even know the node exists). Otherwise, you should copy the SH Node configs to the cluster before adding the node.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Answer 1 - Yes.

Answer 2 - If the individual node is not part of the SHC then the deployer will not touch it (it won't even know the node exists). Otherwise, you should copy the SH Node configs to the cluster before adding the node.

---
If this reply helps you, Karma would be appreciated.

dustymehul
Explorer

Thanks a Lot @richgalloway . Can you please share some reference links/pages where i can read about copying the SH Node configs to the cluster.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...