Deployment Architecture

adding search-heads to search-head pooling...

a212830
Champion

I am building out a new Splunk 6 with some new, shiny, heavy-duty servers (yay!). We are setting up search-head pooling across two servers and it got me thinking - is there any reason that, in the future (or even now) I can't add vm's to that search-head pool? They are going to be using the same NAS disk. Pro's? Con's? Seems like a nice, inexpensive way to expand search-head pooling...

Tags (1)
0 Karma

twinspop
Influencer

In my experience, VMs are poor search heads. The I/O requirements of Splunk are just too high. Additionally, SHP requires the use of an NFS share, which also slows down SH performance. Doing both is a double-whammy. Sure it works, but the performance is pretty poor. We recently got physical servers to replace our SHP'd VMs and the difference is night and day. (Even more so when I was testing them out before putting them in the SHP.)

a212830
Champion

Thanks for the info.

0 Karma
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...