Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syncing dashboards and alerts on multi search head architecture

grahamrb
Explorer
‎06-05-2014 03:18 PM

We're in the process of doing a major upgrade to our Splunk environment. We're effectively moving from a single instance of Splunk doing everything to a "future-proof" setup with multiple indexers, multiple search heads and a separate deployment server.

I'd like to understand what best practice is for how dashboards and alerts should be set up in such an environment.

  1. With 2 or more search heads does a dashboard created on one search head appear on another search head? How do we achieve this? We plan on placing a load balancer in front of our search heads to distribute user load.
  2. How do alerts work? If we create an alert by logging into one of the search heads can we then configure it on the other search head? If it appears on both search heads does the alert run twice?

Thanks for any advice!

Reply

llee_splunk
Splunk Employee
Splunk Employee
‎06-24-2015 01:14 PM

Search head clustering (http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC) was introduced in Splunk Enterprise 6.2, released on October 28, 2014. A search head cluster captain (http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/SHCarchitecture#Search_head_cluster_ca...) coordinates activities among all cluster members. The responsibilities/activities include:

  • Scheduling jobs
  • Coordinating alerts and alert suppressions across the cluster
  • Pushing the knowledge bundle to search peers
  • Coordinating artifact replication
  • Replicating configuration updates

Also see:

Migrate from a standalone search head to a search head cluster
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Migratefromstandalonesearchheads

Use the deployer to distribute apps and configuration updates
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges

How do you set app permissions in a search head cluster
http://answers.splunk.com/answers/225426/how-do-you-set-app-permissions-in-a-search-head-cl.html

0 Karma
Reply

antonyhan
Path Finder
‎04-13-2015 07:47 AM

I have the same question and would appreciate any input on the topic.
also, how to manage user settings in fore-mentioned environment when users access different search head and view the same dashboard ?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...