Deployment Architecture

Why is there no "cluster master" in Splunk recommendations?

psaminadin
New Member

Hi,

We are sizing a Splunk infrastructure and I was looking at this page :

Summary of performance recommendations

https://docs.splunk.com/Documentation/Splunk/7.3.2/Capacity/Summaryofperformancerecommendations

https://docs.splunk.com/Documentation/Splunk/latest/Capacity/Summaryofperformancerecommendations

On this page, there is an example of Splunk cluster with
- 1 SH
- 2 indexers

But in the "cluster administration course, it is explicitly said:
- the master nod must be run a dedicated node
- the master cannot be shared with the search head node

So the minimum cluster should be :
- 1 SH
- 2 indexers
- 1 Master

Can someone explain this to me?
- Why there is no master node on the recommendation page?
-If it's possible to share the search head and cluster master in production

Best regards

Pierre

Labels (3)
0 Karma

bastug58
New Member

So what about Cluster Master's disk requirements? Let say there are two indexers need to be managed by cluster masters?

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

The topic in the Capacity Planning Manual just covers the relative requirements for search heads and indexers, based on your capacity needs.

If you set up an indexer cluster, there are a large number of other issues that you need to accommodate, including the cluster node requirements. Those are not specifically related to capacity concerns, and thus are not covered in the Capacity Planning Manual.

Rather, look in the Managing Indexers and Clusters of Indexers manual, where indexer clusters are covered in detail. Specifically, read the systems requirements topic: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Systemrequirements

gcusello
SplunkTrust
SplunkTrust

Hi psaminadin,
Cluster Master and Master Node are the same thing!
When you speak of "recommendation page" are you speaking of Hardware reference o what else?
If you're speaking of Hardware reference, there isn't any reference for CM, but if you run an Health Check from the Monitoring Console, youll' have a warning for the configuration, that should be at least 12 CPUs and 12 GB of RAM.

Cluster Master MUST have a dedicated server, can eventually be shared with low impact instances as Deployer or License Master, but NEVER with Deployment Server, Indexer or Search Head.

As you can see at https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Systemrequirements , there are some main issues to note:

  • Each cluster node (master, peer, or search head) must reside on a separate Splunk Enterprise instance;
  • Each node instance must run on a separate machine or virtual machine, and each machine must be running the same operating system;
  • All nodes must be connected over a network;
  • There are strict version compatibility requirements between cluster nodes (they must have the same Splunk version).

Ciao.
Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...