multi site splunk deployment

sabaKhadivi · ‎02-05-2019

what is the suitable solution in the situation of 3 data center with huge amount of recieved logs without need to replicate logs ,

1. one heavy forwarder per each datacenter, 2-3 indexer and one search head per data center
2. one heavy forwarder for all sites, 2-3 indexer per data center, 1 search head per data center?
3. one heavy forwarder per datacenter, 2-3 indexer per data center, 1 search head totally for 3 data centers.
and is there any need to cluster search heads if having 3 search head is a good way?

sabaKhadivi · ‎02-05-2019

@BainM what about locating all indexers and a search head in one site??,what about the time all indexers and a search head licated in a site?@BainM

BainM · ‎02-06-2019

You would then have to contend with network traffic if your customers need to search the other 2 sites.
Local indexers and HF's at each site is best, in my humble opinion.

BainM · ‎02-05-2019

Scenario #1 with clustered searchheads if you want customer and admin convenience. If SH's are located in each DC, however, make sure your network connection is consistently within 60-100ms ICMP transit. Otherwise, just use separate searchheads as you suggest, if this is not an inconvenience for customers.

Consider scenario #3 only if using a very beefy searchhead; as this one is a much higher risk.

multi site splunk deployment

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!