Deployment Architecture

Single site clustering - License manager and cluster master

rupeshn
Explorer

Hi ,

1.Could you please let me know if one of the indexers in Single site Clustering be made as Cluster master?

  1. Is it a good idea to have Indexers, SearchHeads on Windows servers (2012 and above versions)

Thank You 🙂

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rupeshn,
Master Node (or Cluster Master) cannot be one of the Indexers (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Enablethemasternode 😞

Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer. Under certain limited circumstances, however, the master instance can handle a few other lightweight functions. See "Additional roles for the master node".

It must be a different server, that you can also use for other roles as License Master or Deployer, but not: Indexer, Search Head, Deployment Server (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Systemrequirements#Additional_roles_for_t... ).

About the opportunity to use Windows as Operative System for Splunk server: it's possible, but I didn't see any production infrastructure on Windows except test.
I understand that probably your have more competences on Windows than Linux, but if it isn't mandatory for your company, choose to use Linux!

I'm sorry to answered NO at both your questions, but the first is a Splunk requirement and the second is an hint!

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @rupeshn,
Master Node (or Cluster Master) cannot be one of the Indexers (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Enablethemasternode 😞

Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer. Under certain limited circumstances, however, the master instance can handle a few other lightweight functions. See "Additional roles for the master node".

It must be a different server, that you can also use for other roles as License Master or Deployer, but not: Indexer, Search Head, Deployment Server (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Systemrequirements#Additional_roles_for_t... ).

About the opportunity to use Windows as Operative System for Splunk server: it's possible, but I didn't see any production infrastructure on Windows except test.
I understand that probably your have more competences on Windows than Linux, but if it isn't mandatory for your company, choose to use Linux!

I'm sorry to answered NO at both your questions, but the first is a Splunk requirement and the second is an hint!

Ciao.
Giuseppe

rupeshn
Explorer

Thank You gcusello

0 Karma

gfreitas
Builder

Hey,
No the cluster master cannot be one of the Indexers, you'll need a separate instance for that. The Cluster Master is actually a very good candidate for a lighter virtual instance.
More information about the cluster master can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Systemrequirements#Additional_roles_for_t....

You can deploy the cluster on Windows Server, see more information here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Installation/Systemrequirements.
Me personally prefer using Linux as Windows has general more overhead O.S. than Linux and some small issues that you'll find over time.
I cannot see Windows 2012 specifically stated there, so you better go with a newer version of Windows server if you choose to.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

No, an indexer cannot also be the cluster master.

Most probably would say it's not a good idea to run Splunk on Windows, although it is done in many places. See https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html for many reasons to avoid Windows.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...