Deployment Architecture

Splunk 6.2 Search Head Clustering (SHC) - Requirements / Documentation

bandit
Motivator

This exciting news.

I saw this published in Splunk's Blog:
Splunk Enterprise 6.2 adds a key capability with Search Head Clustering.
http://blogs.splunk.com/2014/10/07/enterprise_hunk_62/

Any details on the configuration requirements or architecture?
I couldn't yet find it in the 6.2 Beta docs.
I'm hoping to use this feature for a new implementation going live next month.

1 Solution

jrodman
Splunk Employee
Splunk Employee

This feature was not part of the beta.

You will receive higher quality information when 6.2 is released, but I think it is acceptable for me to make the following comments as an individual.

While we are all of course excited to replace Search Head Pooling with its difficult-to-meet demand on an extremely high performance NFS store, this will be brand new significantly complicated functionality doing an initial release. If you plan to be early adopters understand there are likely to be hiccups. This is not an official Splunk position. This is just my comment.

That said the general target is nodes with local storage and reliable communication among the nodes, like a set of boxes in a data center. There are no external requirements resource requirements beyond the network. The load on the nodes will be generally similar to a conventional search head, with all the usual variables that come with the search load patterns and the types of searches run. The additional resource demand is that nodes will need to rapidly transfer data between them in some scenarios, such as when requesting the output of a search that was run on a different node.

View solution in original post

theunf
Communicator

RT and Ad-Hoc remains not being replicated on SHC 6.2.3 ... only proxying is supported but adds a delay on the answer to the users:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCarchitecture#Artifact_proxying

0 Karma

bandit
Motivator

Documentation:
docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC

0 Karma

hylam
Contributor

Consider this topology:

tv -> desktop pc -> http load balancer -> search head cluster (SH1 + SH2)

SH1 is streaming real-time search results to the TV.

Real time searches are not replicated (page 19 in conf2014_MustafaAhamed_EricWoo_AnirbanRahut_Splunk_Whats_New.pdf)

When SH1 failes, what happens on the TV? Will there be auto failover?

Will the user have to go to the desktop pc and restart the real-time search?

0 Karma

jrodman
Splunk Employee
Splunk Employee

This feature was not part of the beta.

You will receive higher quality information when 6.2 is released, but I think it is acceptable for me to make the following comments as an individual.

While we are all of course excited to replace Search Head Pooling with its difficult-to-meet demand on an extremely high performance NFS store, this will be brand new significantly complicated functionality doing an initial release. If you plan to be early adopters understand there are likely to be hiccups. This is not an official Splunk position. This is just my comment.

That said the general target is nodes with local storage and reliable communication among the nodes, like a set of boxes in a data center. There are no external requirements resource requirements beyond the network. The load on the nodes will be generally similar to a conventional search head, with all the usual variables that come with the search load patterns and the types of searches run. The additional resource demand is that nodes will need to rapidly transfer data between them in some scenarios, such as when requesting the output of a search that was run on a different node.

gkanapathy
Splunk Employee
Splunk Employee

I will add that you should also expect to use additional temp space in the dispatch directory, the place where intermediate search results are stored. One feature of SHC is to create replicas of search results (from jobs, etc) so that results can be available even if a node fails. In practice, most people will have enough excess space, but a few will find that they are running pretty tight and may need to increase.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...