I'm at the planning stages of designing a Splunk deployment in our global setup, I've been tasked with making this as lightweight on the network as possible as our WAN links are expensive (time and cost) and I can't get in the way of existing traffic. So I think I need to ignore the best practice examples of having indexers all replicating their data between them as that appears to be all about search performance. We're happy to accept slower searches over less data replication cost.
Please point me at docs if this idea is covered but I haven't found anything myself.
I'm planning the following:
Am I right in thinking that a search head will send a query to each indexer (or should I be saying search peer?) and they will prepare a results set and send back to the requesting search head to collate and presents results to the user.
If that's all true and would work is there a way to quantify how much data is sent between the indexers and search head, is it as simple as just the _raw values that meet the search criteria and the search head does any further processing?
Thanks in advance!
I am not a Splunk certified architect, so I would rather give you some tips instead of giving a complete answer. First tip, I would consider contacting Splunk Professional Services if you are planning such an environment.
Talking about your questions, there are a few things you might want to consider:
Thanks for the reply, we're talking with a splunk representative as well - but its useful / quicker to get the views of the community at times!
I'll take a look at the resources you mention, they seem v. useful.