Monitoring Splunk

search heads to search head cluster

sravankaripe
Communicator

Hi

In my company we are have 8 Search heads.

we want to change it into search head cluster.

what all the configuration i need to change please help me with this.

Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

This is bit elaborative process and would require a Splunk admin who is well versed in SH clustering (or request for Professional services)

  1. You need to have a deployer (seperate Splunk instance)
  2. You need to have an odd number of SH members (So out of 8, discard 1 and make it 7)
  3. If you have sites, ensure one site has 4 and other have 3
  4. Config requirements like SH factor, security key
  5. You need to have pre-reqs like "indexer" versions should be same or lower than SH members etc. https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Splunk_Enterprise_ver...
  6. There is quite set of understanding to do from this link https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/SHCdeploymentoverview

View solution in original post

koshyk
Super Champion

This is bit elaborative process and would require a Splunk admin who is well versed in SH clustering (or request for Professional services)

  1. You need to have a deployer (seperate Splunk instance)
  2. You need to have an odd number of SH members (So out of 8, discard 1 and make it 7)
  3. If you have sites, ensure one site has 4 and other have 3
  4. Config requirements like SH factor, security key
  5. You need to have pre-reqs like "indexer" versions should be same or lower than SH members etc. https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Splunk_Enterprise_ver...
  6. There is quite set of understanding to do from this link https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/SHCdeploymentoverview

woodcock
Esteemed Legend

Unless you have way too many search heads, I would add one to make it odd 9 (instead of reduce 1), because being part of a Search Head Cluster adds overhead that will make the capacity of each one a little bit less.

0 Karma

ansif
Motivator
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...