Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can Enterprise Security use search-head clustering?

a212830
Champion
‎03-28-2018 08:28 AM

Hi,

We currently use Enterprise Security, with a single search-head. We'd like to move to using SHC (took a hit recently), but have been advised against it (waiting on more details for why). Does anyone use ES with SHC? Can you share your experiences/challenges? Or can someone give me detail on why we shouldn't use SHC with ES?

0 Karma
Reply

mosman_splunk
Splunk Employee
Splunk Employee
‎06-30-2020 10:47 AM

First Thing to know that Windows search head clusters are not supported by Splunk Enterprise Security. so if you are not using nix you can not do it

if you do , it is supported but it is not the easiest to overcapitalized specially if you have some new Spelunkers. I would say if you are looking for HA consider somthing like snapshot or Rsync, if you are about performance, make sure that you followed all best practices, from data onbaording , data model acceleration, searches, cron jobs and so on ... fix every thing and then evaluate.

If your environment if passing all those checks and you still suffering ... then ES SHC is the way to go.. I have seen Splunkers who are very successful with it and others who just can not operate it

0 Karma
Reply

Splunker
Communicator
‎03-29-2018 02:22 PM

George is exactly correct.

@a212830 per George's answer, if you do go the SHC route (as someone who has setup one or two :)), ES works well in a SHC.

Another reason you might consider a SHC, is if HA is absolutely necessary.

SHC has more moving parts is the basic fact, and everything that comes with having more moving parts, applies here as well.

It's just different that way, but if it's required, it does work, and works pretty well 🙂

Cheers!

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎03-28-2018 09:00 AM

People with more first-hand insight will provide more detailed answers and opinions, I am sure. But in the meantime a few points:

  • Per the Splunk Enterprise Security Installation and Upgrade Manual, "A distributed search deployment is recommended for deploying and running Splunk Enterprise Security" (Deployment planning).
  • That manual includes installation instructions and capacity planning information for search head clustering.
  • You might consider talking to Splunk Professional Services to help you with this.
Reply

starcher
Influencer
‎03-28-2018 04:05 PM

You use SHC with ES when you need the number of cores to cover how many searches you are dispatching. You have to cover data model accelerations, all the correlation searches and supporting searches you want to run. Then enough left over for ad box users.

Th ES docs cover the process for upgrading ES in SHC so you have to become comfortable with that.

It is usually the SHC deployment and upgrade process that causes most folks to blanket say don’t do ES in a SHC. They get intimidated by it.

If you have a small security team. And doing less than 1TB/day usually you are better off doing one beefy search head.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...