Monitoring Splunk

Multiple SearchHeads (one per DC) – How to take advantage of report acceleration data?

t9445
Path Finder

Hi, hoping this is a basic question, the lead-in is long, however the questions are brief.

We have Multiple Data-Centers (DCs), and have been advised not to use SearchHead poolling across DCs (Known issue due to latency concerns etc as we understand), however we need to provide local access to users geographically located near/within some specific DCs, as well as Disaster Recovery (DR) + Redundancy (e.g. if a DC is down, typically/hopefully for DR tests, the users can still access the SearchHead in other DCs).

Each of the SearchHeads is not aware of the other SearchHeads and forwards ALL data to their local DC indexers (e.g. no-splunk-data is stored locally). Additionally each SearchHead is aware of all indexers (so we can do complete infrastructure searches regardless of which SearchHead is being accessed by the user).
Using deployment-server we are populating our SearchHeads accordingly with various apps (essentially the SearchHeads with some minor exceptions are clones)

So, if we have a Splunk-application that by definition has report-acceleration enabled, and we deploy this application to all of our SearchHeads, I note that the "Summary ID" (in Manager > Report Acceleration) is the same across all SearchHeads.

  1. Is the associated Report Acceleration data duplicated since the report acceleration is enabled on each SearchHead (assume so, since the acceleration queries etc are running on each SearchHead)

  2. If we disable acceleration on all but one SearchHead within the apps, is there any way to enable the other SearchHeads to take advantage of the generated acceleration data from the one-SearchHead?

Yes, optimally we would be using SearchHead pooling, however X-DC is not recommended (at least currently as I understand), another possibility is summary indices instead, however would prefer to take advantage of report acceleration (and most importantly continue to keep all options open to our Splunk-users that are developing Splunk-apps)

Appreciate any inputs

thanks

-tom

0 Karma

jonuwz
Influencer

Unlike summary indexes, report acceleration summaries are not manually created indexes that reside on the search head but rather automatically-created data summaries that are stored alongside the buckets within ordinary indexes.

source

So

1) no - there is no duplication on the search heads, because thats not where the data is stored anyway.

2) Not applicable

0 Karma

t9445
Path Finder

(think I was unclear, apologies) , understood that the data is not on the SearchHeads, If the same accelerated reports (identical due to swr distribution) are installed on multiple autonomous SearchHeads, will the accelerated data be duplicated (on the indexers)? In subsequent testing it appears so, is there anyway to have it so one SearchHead (cannot use SearchHead pooling due to our environment, X-DC) can generate the relevant accelerated data and the other SearchHeads take advantage of that data (since it is available to them on the indexers -- all indexers known by all SearchHeads)

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...