Deployment Architecture
Highlighted

Why should I use search head clustering and what are recommendations on implementing it in my multisite environment?

Contributor

Hello all

Please clarify some cases for me.
For example, I have a multisite cluster on 2 sites with absolutely similar hardware, except there is a cluster master on site1 and users use both sites of cluster for searching (my SF=RF=1:2). As I can read in documentation, there is a possibility to create a multisite cluster of search heads.

1) What is the reason to do this? What is the best way to use 8 Search heads for clustering (4 SH on each site)? As I found in some docs, to divide them in 4:4 (4 one site and 4 for another) is not good as they can not choose a Captain. Should I create one cluster of SH, 2 clusters or Multisite cluster of SH on 2 sites and implement search affinity? I can not find docs about recommendations.

2) I did not see a Job Server (I need it to create summary indexes) for 6.2, or does one of the SH in cluster acts as Job Server now??

Please share your experience about Search Head clustering.

Highlighted

Re: Why should I use search head clustering and what are recommendations on implementing it in my multisite environment?

Path Finder

Why would you have more than one web server? The reason is, if you have clustered web servers, a server can go offline but your customers never notice. This is the reason you want clustered search heads.

As for dividing them, that depends on your needs.

0 Karma
Highlighted

Re: Why should I use search head clustering and what are recommendations on implementing it in my multisite environment?

Contributor

So try to make my question more concrete. What is the advantage of SH cluster above search head shared bundle ? Only that shared bundle is a sopf?
And is it possible to have 2 synchronized sh clusters and how it differs from two site sh cluster?

0 Karma
Highlighted

Re: Why should I use search head clustering and what are recommendations on implementing it in my multisite environment?

SplunkTrust
SplunkTrust

The SH cluster shares the workload of scheduled searches amongst its members, so you basically get a cluster of job servers implicitly... that's also redundant, so no worrying about your single job server going down.

0 Karma
Highlighted

Re: Why should I use search head clustering and what are recommendations on implementing it in my multisite environment?

Contributor

What does garantie user to login only search heads with his searches, field extractions and etc. I have 8 SH in cluster, my factor of replication is 3 so only 3 SH has search artifacts of user A, so how load balancer should know about what search head should user be logged in?- or I should make replication factor 8 to resolve this problem?

0 Karma
Highlighted

Re: Why should I use search head clustering and what are recommendations on implementing it in my multisite environment?

Splunk Employee
Splunk Employee

No need to set replication factor to 8. If the user logs in to a SH which doesn't have the search artifact then the system is smart enough to reach out to the node which has it and return results.