This exciting news.
I saw this published in Splunk's Blog:
Splunk Enterprise 6.2 adds a key capability with Search Head Clustering.
http://blogs.splunk.com/2014/10/07/enterprise_hunk_62/
Any details on the configuration requirements or architecture?
I couldn't yet find it in the 6.2 Beta docs.
I'm hoping to use this feature for a new implementation going live next month.
This feature was not part of the beta.
You will receive higher quality information when 6.2 is released, but I think it is acceptable for me to make the following comments as an individual.
While we are all of course excited to replace Search Head Pooling with its difficult-to-meet demand on an extremely high performance NFS store, this will be brand new significantly complicated functionality doing an initial release. If you plan to be early adopters understand there are likely to be hiccups. This is not an official Splunk position. This is just my comment.
That said the general target is nodes with local storage and reliable communication among the nodes, like a set of boxes in a data center. There are no external requirements resource requirements beyond the network. The load on the nodes will be generally similar to a conventional search head, with all the usual variables that come with the search load patterns and the types of searches run. The additional resource demand is that nodes will need to rapidly transfer data between them in some scenarios, such as when requesting the output of a search that was run on a different node.
RT and Ad-Hoc remains not being replicated on SHC 6.2.3 ... only proxying is supported but adds a delay on the answer to the users:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCarchitecture#Artifact_proxying
Documentation:
docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC
Consider this topology:
tv -> desktop pc -> http load balancer -> search head cluster (SH1 + SH2)
SH1 is streaming real-time search results to the TV.
Real time searches are not replicated (page 19 in conf2014_MustafaAhamed_EricWoo_AnirbanRahut_Splunk_Whats_New.pdf)
When SH1 failes, what happens on the TV? Will there be auto failover?
Will the user have to go to the desktop pc and restart the real-time search?
This feature was not part of the beta.
You will receive higher quality information when 6.2 is released, but I think it is acceptable for me to make the following comments as an individual.
While we are all of course excited to replace Search Head Pooling with its difficult-to-meet demand on an extremely high performance NFS store, this will be brand new significantly complicated functionality doing an initial release. If you plan to be early adopters understand there are likely to be hiccups. This is not an official Splunk position. This is just my comment.
That said the general target is nodes with local storage and reliable communication among the nodes, like a set of boxes in a data center. There are no external requirements resource requirements beyond the network. The load on the nodes will be generally similar to a conventional search head, with all the usual variables that come with the search load patterns and the types of searches run. The additional resource demand is that nodes will need to rapidly transfer data between them in some scenarios, such as when requesting the output of a search that was run on a different node.
I will add that you should also expect to use additional temp space in the dispatch directory, the place where intermediate search results are stored. One feature of SHC is to create replicas of search results (from jobs, etc) so that results can be available even if a node fails. In practice, most people will have enough excess space, but a few will find that they are running pretty tight and may need to increase.