Deployment Architecture

Splunk 6.2 Search Head Clustering (SHC) - Requirements / Documentation

bandit
Motivator

This exciting news.

I saw this published in Splunk's Blog:
Splunk Enterprise 6.2 adds a key capability with Search Head Clustering.
http://blogs.splunk.com/2014/10/07/enterprise_hunk_62/

Any details on the configuration requirements or architecture?
I couldn't yet find it in the 6.2 Beta docs.
I'm hoping to use this feature for a new implementation going live next month.

1 Solution

jrodman
Splunk Employee
Splunk Employee

This feature was not part of the beta.

You will receive higher quality information when 6.2 is released, but I think it is acceptable for me to make the following comments as an individual.

While we are all of course excited to replace Search Head Pooling with its difficult-to-meet demand on an extremely high performance NFS store, this will be brand new significantly complicated functionality doing an initial release. If you plan to be early adopters understand there are likely to be hiccups. This is not an official Splunk position. This is just my comment.

That said the general target is nodes with local storage and reliable communication among the nodes, like a set of boxes in a data center. There are no external requirements resource requirements beyond the network. The load on the nodes will be generally similar to a conventional search head, with all the usual variables that come with the search load patterns and the types of searches run. The additional resource demand is that nodes will need to rapidly transfer data between them in some scenarios, such as when requesting the output of a search that was run on a different node.

View solution in original post

theunf
Communicator

RT and Ad-Hoc remains not being replicated on SHC 6.2.3 ... only proxying is supported but adds a delay on the answer to the users:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCarchitecture#Artifact_proxying

0 Karma

bandit
Motivator

Documentation:
docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC

0 Karma

hylam
Contributor

Consider this topology:

tv -> desktop pc -> http load balancer -> search head cluster (SH1 + SH2)

SH1 is streaming real-time search results to the TV.

Real time searches are not replicated (page 19 in conf2014_MustafaAhamed_EricWoo_AnirbanRahut_Splunk_Whats_New.pdf)

When SH1 failes, what happens on the TV? Will there be auto failover?

Will the user have to go to the desktop pc and restart the real-time search?

0 Karma

jrodman
Splunk Employee
Splunk Employee

This feature was not part of the beta.

You will receive higher quality information when 6.2 is released, but I think it is acceptable for me to make the following comments as an individual.

While we are all of course excited to replace Search Head Pooling with its difficult-to-meet demand on an extremely high performance NFS store, this will be brand new significantly complicated functionality doing an initial release. If you plan to be early adopters understand there are likely to be hiccups. This is not an official Splunk position. This is just my comment.

That said the general target is nodes with local storage and reliable communication among the nodes, like a set of boxes in a data center. There are no external requirements resource requirements beyond the network. The load on the nodes will be generally similar to a conventional search head, with all the usual variables that come with the search load patterns and the types of searches run. The additional resource demand is that nodes will need to rapidly transfer data between them in some scenarios, such as when requesting the output of a search that was run on a different node.

gkanapathy
Splunk Employee
Splunk Employee

I will add that you should also expect to use additional temp space in the dispatch directory, the place where intermediate search results are stored. One feature of SHC is to create replicas of search results (from jobs, etc) so that results can be available even if a node fails. In practice, most people will have enough excess space, but a few will find that they are running pretty tight and may need to increase.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...