Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I use the same indexers for a Splunk Enterprise search head and another search head?

shubham87
Explorer
‎08-15-2017 09:51 AM

I am in process of Splunk Enterprise Security deployment. While deployment of Add-ons to my indexers, documentation says:

"Splunk Enterprise Security is running on a complex deployment, such as one Enterprise Security search head and one search head for other searches both using the same set of indexers"
"Contact Splunk Professional Services for assistance with deploying add-ons to your indexers."

What are issues while using same set of indexers for ES-Search Head and other Search Head? Anyone have documentation to successfully deploy same?

Regards
Shubham

0 Karma
Reply

ltrand
Contributor
‎08-15-2017 11:19 AM

Here is generally the reason behind this guidance:

From a supportability perspective, for both the admin and the customer, it's easier to have ES, which is very complex, to be on its own and not have other apps or TA's conflict with what ES expects.

That said, at the end of the day your indexers need to be large enough to support the total amount of search, regardless of the number of search heads, search head clusters, etc that will be utilized. So as an admin, you need to ensure your monitoring the indexers load and size them for the total expected concurrency.

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎08-15-2017 10:27 AM

@shubham87, the main concern is big enough indexers to support the added search load from 2 search heads. Having ES adds a significant search load to your indexers, and a second search head pointing to the same one can increase that even more. As long as your indexers can support the added search load, you should be okay.
See the indexer scaling recommendations here: http://docs.splunk.com/Documentation/ES/4.7.2/Install/DeploymentPlanning#Indexer_scaling_considerati...

Reply

shubham87
Explorer
‎08-16-2017 06:35 AM

Is this the only concern? Is there anything else that we need to take care of?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...