Solved: in a Splunk Distributed Environment, what is the l...

arlakathena · ‎12-04-2018

I have Splunk distributed 7.2.1 (1 dedicated Search Head with multilple non clustered indexers)

I am wondering if there is a limit of indexers by a single dedicated search head ( how many indexers can a search head support ? )
i am planning on adding a distant instance of Splunk Enterprise as an indexer over VPN (based on client request). Is that possible ?

Note: the dedicated search head is acting as deployment server and license manager as well.

prakash007 · ‎12-04-2018

I don't think there is a limit in this case, for instance we had a stand-alone search head with 20peers(indexers)
You can add as long as the Search Head is able to communicate with the Indexer over VPN, but you might encounter some network latency.

This splunk doc might give you an idea on scaling your infrastructure..
http://docs.splunk.com/Documentation/Splunk/7.2.1/Capacity/Summaryofperformancerecommendations

View solution in original post

jmaple_splunk · ‎12-05-2018

Out if curiousity, would the remote indexer you're planning on better suited as a heavy forwarder that just sends traffic back to your main indexers at the other end of the VPN tunnel? Seems like the easiest way to avoid latency issues depending on the distance.

arlakathena · ‎12-06-2018

When the client chooses that the data stays stored locally at his side we can't judge him! also i would need another indexer at my side to receive parsed event coming from the heavy forwarder as you suggested!

My point here that i would search data through my dedicated Search Head (no local storage/index) to the indexer(at the client side) via VPN, data will be stored there, his license will be a slave of my license manager

Anonymous · ‎12-05-2018

The Search head uses "URL:8089"
As long as it can connect to it should not be any problems.

But the underlaying infastructure may be using som CPU resources. Is the VPN a software or is it Site2Site vpn.
You will most likely encounter some lag, but I think it wil work.

But it all depends on network and the cpu/memory of the Search head.
The indexer you are pulling data from wil not even know if youre on another network.

But if you can reach the indexer/peer via the VPN tunnell you are all good.

arlakathena · ‎12-06-2018

The Search Head is deployed with the best practice hardware requirements so i don't think there will be a problem there.
The best way i'm planning this is on a Site2Site VPN, i think the network capacity is extensible so logically there is no problem.

Anonymous · ‎12-06-2018

Please let us know how it went, if you are experiencing lag then you could adjust the timeout on the Search head.

arlakathena · ‎02-26-2019

It's working for 2 months now !
no break ups or failures

Anonymous · ‎02-26-2019

Wonderful:)

prakash007 · ‎12-04-2018

I don't think there is a limit in this case, for instance we had a stand-alone search head with 20peers(indexers)
You can add as long as the Search Head is able to communicate with the Indexer over VPN, but you might encounter some network latency.

This splunk doc might give you an idea on scaling your infrastructure..
http://docs.splunk.com/Documentation/Splunk/7.2.1/Capacity/Summaryofperformancerecommendations

in a Splunk Distributed Environment, what is the limit of indexers by a single dedicated search head?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM