Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syncing dashboards and alerts on multi search head architecture

grahamrb
Explorer
‎06-05-2014 03:18 PM

We're in the process of doing a major upgrade to our Splunk environment. We're effectively moving from a single instance of Splunk doing everything to a "future-proof" setup with multiple indexers, multiple search heads and a separate deployment server.

I'd like to understand what best practice is for how dashboards and alerts should be set up in such an environment.

  1. With 2 or more search heads does a dashboard created on one search head appear on another search head? How do we achieve this? We plan on placing a load balancer in front of our search heads to distribute user load.
  2. How do alerts work? If we create an alert by logging into one of the search heads can we then configure it on the other search head? If it appears on both search heads does the alert run twice?

Thanks for any advice!

Reply

llee_splunk
Splunk Employee
Splunk Employee
‎06-24-2015 01:14 PM

Search head clustering (http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC) was introduced in Splunk Enterprise 6.2, released on October 28, 2014. A search head cluster captain (http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/SHCarchitecture#Search_head_cluster_ca...) coordinates activities among all cluster members. The responsibilities/activities include:

  • Scheduling jobs
  • Coordinating alerts and alert suppressions across the cluster
  • Pushing the knowledge bundle to search peers
  • Coordinating artifact replication
  • Replicating configuration updates

Also see:

Migrate from a standalone search head to a search head cluster
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Migratefromstandalonesearchheads

Use the deployer to distribute apps and configuration updates
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges

How do you set app permissions in a search head cluster
http://answers.splunk.com/answers/225426/how-do-you-set-app-permissions-in-a-search-head-cl.html

0 Karma
Reply

antonyhan
Path Finder
‎04-13-2015 07:47 AM

I have the same question and would appreciate any input on the topic.
also, how to manage user settings in fore-mentioned environment when users access different search head and view the same dashboard ?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...