Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What is the difference between a Distributed and Clustered environment?

aoliullah
Path Finder
‎01-26-2017 08:37 AM

Hi. Could someone explain to me the difference between Distributed and Clustered environment in relation to Splunk? I keep thinking it's the same.

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skalliger
Motivator
‎01-26-2017 08:43 AM

Distributed does not necessarily mean clustered. A distributed environment describes the separation of indexing and searching logic in Splunk. In a non-distributed environment, you would have installed all the logic on a single machine, which does the indexing of data and also searches the data.

In a distributed environment however, you would have an indexer which gets data from several inputs and you would also have a search head, which searches across your indexer.

In a clustered environment, you could then combine multiple indexers to an indexer cluster for high-availabily/data loss prevention (keeping multiple copies of your data). Talking of desaster recover, you would then talk about a multi-site cluster (two clusters at different locations).
Also you would combine multiple search heads together, which distribute their searches to each other. Besides those two clusters, you will also need a deployer and a master (which can be the same machine) to manage your indexer and search head clusters.

Skalli

View solution in original post

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎01-26-2017 08:47 AM

There is a whole manual specifically about this subject. Start your reading at Scale your deployment with Splunk Enterprise components. The manual includes information about all the dimensions of a distributed deployment, including clustering, and explains a number of typical deployment scenarios.

Reply
Solved! Jump to solution
Solution

skalliger
Motivator
‎01-26-2017 08:43 AM

Distributed does not necessarily mean clustered. A distributed environment describes the separation of indexing and searching logic in Splunk. In a non-distributed environment, you would have installed all the logic on a single machine, which does the indexing of data and also searches the data.

In a distributed environment however, you would have an indexer which gets data from several inputs and you would also have a search head, which searches across your indexer.

In a clustered environment, you could then combine multiple indexers to an indexer cluster for high-availabily/data loss prevention (keeping multiple copies of your data). Talking of desaster recover, you would then talk about a multi-site cluster (two clusters at different locations).
Also you would combine multiple search heads together, which distribute their searches to each other. Besides those two clusters, you will also need a deployer and a master (which can be the same machine) to manage your indexer and search head clusters.

Skalli

Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-26-2017 08:42 AM

If it's about really differentiating the terms from each other then one way can be of thinking it as , clustering to be within a layer like cluster of indexes, cluster of searchheads. Distributed can be one search head, one indexer, each on different machines.

Technical details of each setup might have some overlaps, but that's the simplest I could think of 🙂

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...