We currently use Enterprise Security, with a single search-head. We'd like to move to using SHC (took a hit recently), but have been advised against it (waiting on more details for why). Does anyone use ES with SHC? Can you share your experiences/challenges? Or can someone give me detail on why we shouldn't use SHC with ES?
First Thing to know that Windows search head clusters are not supported by Splunk Enterprise Security. so if you are not using nix you can not do it
if you do , it is supported but it is not the easiest to overcapitalized specially if you have some new Spelunkers. I would say if you are looking for HA consider somthing like snapshot or Rsync, if you are about performance, make sure that you followed all best practices, from data onbaording , data model acceleration, searches, cron jobs and so on ... fix every thing and then evaluate.
If your environment if passing all those checks and you still suffering ... then ES SHC is the way to go.. I have seen Splunkers who are very successful with it and others who just can not operate it
You use SHC with ES when you need the number of cores to cover how many searches you are dispatching. You have to cover data model accelerations, all the correlation searches and supporting searches you want to run. Then enough left over for ad box users.
Th ES docs cover the process for upgrading ES in SHC so you have to become comfortable with that.
It is usually the SHC deployment and upgrade process that causes most folks to blanket say don’t do ES in a SHC. They get intimidated by it.
If you have a small security team. And doing less than 1TB/day usually you are better off doing one beefy search head.