Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why should I use search head clustering and what are recommendations on implementing it in my multisite environment?

andrey2007
Contributor
‎11-24-2014 08:00 AM

Hello all

Please clarify some cases for me.
For example, I have a multisite cluster on 2 sites with absolutely similar hardware, except there is a cluster master on site1 and users use both sites of cluster for searching (my SF=RF=1:2). As I can read in documentation, there is a possibility to create a multisite cluster of search heads.

1) What is the reason to do this? What is the best way to use 8 Search heads for clustering (4 SH on each site)? As I found in some docs, to divide them in 4:4 (4 one site and 4 for another) is not good as they can not choose a Captain. Should I create one cluster of SH, 2 clusters or Multisite cluster of SH on 2 sites and implement search affinity? I can not find docs about recommendations.

2) I did not see a Job Server (I need it to create summary indexes) for 6.2, or does one of the SH in cluster acts as Job Server now??

Please share your experience about Search Head clustering.

Reply

gwalford
Path Finder
‎11-24-2014 09:44 AM

Why would you have more than one web server? The reason is, if you have clustered web servers, a server can go offline but your customers never notice. This is the reason you want clustered search heads.

As for dividing them, that depends on your needs.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-24-2014 03:05 PM

The SH cluster shares the workload of scheduled searches amongst its members, so you basically get a cluster of job servers implicitly... that's also redundant, so no worrying about your single job server going down.

0 Karma
Reply

andrey2007
Contributor
‎11-24-2014 11:57 PM

What does garantie user to login only search heads with his searches, field extractions and etc. I have 8 SH in cluster, my factor of replication is 3 so only 3 SH has search artifacts of user A, so how load balancer should know about what search head should user be logged in?- or I should make replication factor 8 to resolve this problem?

0 Karma
Reply

mahamed_splunk
Splunk Employee
Splunk Employee
‎12-01-2014 01:56 PM

No need to set replication factor to 8. If the user logs in to a SH which doesn't have the search artifact then the system is smart enough to reach out to the node which has it and return results.

Reply

andrey2007
Contributor
‎11-24-2014 10:21 AM

So try to make my question more concrete. What is the advantage of SH cluster above search head shared bundle ? Only that shared bundle is a sopf?
And is it possible to have 2 synchronized sh clusters and how it differs from two site sh cluster?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...