Splunk Enterprise Security

Can Enterprise Security use search-head clustering?

a212830
Champion

Hi,

We currently use Enterprise Security, with a single search-head. We'd like to move to using SHC (took a hit recently), but have been advised against it (waiting on more details for why). Does anyone use ES with SHC? Can you share your experiences/challenges? Or can someone give me detail on why we shouldn't use SHC with ES?

0 Karma

mosman_splunk
Splunk Employee
Splunk Employee

First Thing to know that Windows search head clusters are not supported by Splunk Enterprise Security. so if you are not using nix you can not do it

if you do , it is supported but it is not the easiest to overcapitalized specially if you have some new Spelunkers. I would say if you are looking for HA consider somthing like snapshot or Rsync, if you are about performance, make sure that you followed all best practices, from data onbaording , data model acceleration, searches, cron jobs and so on ... fix every thing and then evaluate.

If your environment if passing all those checks and you still suffering ... then ES SHC is the way to go.. I have seen Splunkers who are very successful with it and others who just can not operate it

0 Karma

Splunker
Communicator

George is exactly correct.

@a212830 per George's answer, if you do go the SHC route (as someone who has setup one or two :)), ES works well in a SHC.

Another reason you might consider a SHC, is if HA is absolutely necessary.

SHC has more moving parts is the basic fact, and everything that comes with having more moving parts, applies here as well.

It's just different that way, but if it's required, it does work, and works pretty well 🙂

Cheers!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

People with more first-hand insight will provide more detailed answers and opinions, I am sure. But in the meantime a few points:

  • Per the Splunk Enterprise Security Installation and Upgrade Manual, "A distributed search deployment is recommended for deploying and running Splunk Enterprise Security" (Deployment planning).
  • That manual includes installation instructions and capacity planning information for search head clustering.
  • You might consider talking to Splunk Professional Services to help you with this.

starcher
SplunkTrust
SplunkTrust

You use SHC with ES when you need the number of cores to cover how many searches you are dispatching. You have to cover data model accelerations, all the correlation searches and supporting searches you want to run. Then enough left over for ad box users.

Th ES docs cover the process for upgrading ES in SHC so you have to become comfortable with that.

It is usually the SHC deployment and upgrade process that causes most folks to blanket say don’t do ES in a SHC. They get intimidated by it.

If you have a small security team. And doing less than 1TB/day usually you are better off doing one beefy search head.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...