Monitoring Splunk

search heads to search head cluster

sravankaripe
Communicator

Hi

In my company we are have 8 Search heads.

we want to change it into search head cluster.

what all the configuration i need to change please help me with this.

Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

This is bit elaborative process and would require a Splunk admin who is well versed in SH clustering (or request for Professional services)

  1. You need to have a deployer (seperate Splunk instance)
  2. You need to have an odd number of SH members (So out of 8, discard 1 and make it 7)
  3. If you have sites, ensure one site has 4 and other have 3
  4. Config requirements like SH factor, security key
  5. You need to have pre-reqs like "indexer" versions should be same or lower than SH members etc. https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Splunk_Enterprise_ver...
  6. There is quite set of understanding to do from this link https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/SHCdeploymentoverview

View solution in original post

koshyk
Super Champion

This is bit elaborative process and would require a Splunk admin who is well versed in SH clustering (or request for Professional services)

  1. You need to have a deployer (seperate Splunk instance)
  2. You need to have an odd number of SH members (So out of 8, discard 1 and make it 7)
  3. If you have sites, ensure one site has 4 and other have 3
  4. Config requirements like SH factor, security key
  5. You need to have pre-reqs like "indexer" versions should be same or lower than SH members etc. https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Splunk_Enterprise_ver...
  6. There is quite set of understanding to do from this link https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/SHCdeploymentoverview

woodcock
Esteemed Legend

Unless you have way too many search heads, I would add one to make it odd 9 (instead of reduce 1), because being part of a Search Head Cluster adds overhead that will make the capacity of each one a little bit less.

0 Karma

ansif
Motivator
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...