Deployment Architecture

Splunk Architecture for two servers

apakhomov
Path Finder

Hello All,

I have two high-performance servers for Splunk in different segments.
The first server will receive data and send to second one (indexer).
Additional restrictions:

  • A volume to store the indexed data can be connected only to the first server. So the indexer can be only one.

But I don't want to dedicate the first server only as a forwarder.

Question:
Is it possible to use the first server also to optimize search performance?

I suppose that I can use the first server as an indexer, the second one as a forwarder and a search head. But if we have only one indexer, will we get a performance improvement from the dedicated search head?


Best regards, Artem.

0 Karma
1 Solution

woodcock
Esteemed Legend

Yes you can (and IMHO should) make it an Indexer, too, which should double your search performance.

View solution in original post

woodcock
Esteemed Legend

Yes you can (and IMHO should) make it an Indexer, too, which should double your search performance.

apakhomov
Path Finder

Sorry I didn't write in the first post:
A volume to store the indexed data can be connected only to one server - indexer in the first post. So the indexer can be only one.


Best regards, Artem.

0 Karma

woodcock
Esteemed Legend

You can make the Forwarder your Search Head so that you are not logging into the Indexer directly to run Searches. This will help some to speed things. Because your Forwarder is handling so small a data stream such that it can be handled by a single Indexers, I am sure it can also handle the load of being a Search Head.

0 Karma

apakhomov
Path Finder

Thanks, you support my suppose. Also I found an indirect confirmation in the documentation. Splunk recommends use one search head for one indexer if we have from 2 till 250 GB daily indexing volume with up to 16 users.
I also suppose I can forward the users on search head and on indexer directly to use indexer for perform search requests too.

Unfortunately in the documentation I can't find how to use dedicated search head without an indexer cluster. Need I make cluster with one indexer?
And how to distribute an user settings (if I can use indexer to perform search requests) - mount the Knowledge bundle (../splunk/etc) from one server to another?


Best regards, Artem.

0 Karma

apakhomov
Path Finder

I found document on connect a search head with a search pear (indexer) without an indexer cluster:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/Configuredistributedsearch

So now actual only last questions:
Could I use the indexer to perform search requests too?
And how to distribute an user settings (if I can use indexer to perform search requests) - mount the Knowledge bundle (../splunk/etc) from one server to another?


Best regards, Artem.

0 Karma

woodcock
Esteemed Legend

Yes, by default, your Indexer should should have a web interface on port 8000 (or is it 8080?) and if you browse it on that port, it will let you log in and run searches on it. This should not require any configuration. I would advise against doing so, though.

0 Karma

apakhomov
Path Finder

Could you write more details - why not?

Best regards, Artem.

0 Karma

woodcock
Esteemed Legend

First of all, 1 Search Head (your Forwarder) will probably be just fine forever so you don't need more than 1 (no benefit). You only have 1 indexer so it going to handle all of the base parts of every search so don't add even more burden to it.

0 Karma

apakhomov
Path Finder

Thank you very much! Your answers are very helpful for me!

Best regards, Artem.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...