Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Since Enterprise Security can only have 1 instance running, how do you handle high availability if that search head stops working?

Splunker
Communicator
‎10-15-2014 02:02 AM

Hi all,

Have a 2 site distributed-architecture of Splunk, with 1 Search-Head in either site (and indexers and heavy-forwarders but right now am focusing on the search-heads). A fully virtualized solution (VMWare).

Since Splunk Enterprise-Security can only have 1 instance running on any particular deployment, how do folks handle high availability if that search head stops working?

There is a WAN between sites, so i've been told rsync is the best way (rather than SH pooling) which is fine, but i'd love to hear other peoples experiences with this type of setup.

Failing over, failing back, and any issues in between to be wary of. Also do you just rsync all of /opt/splunk/etc/* across, and leave Splunk not running on the warm standby instance until it's needed?

Would appreciate any advice..

Thanks.

0 Karma
Reply

matthieu_araman
Communicator
‎02-11-2015 05:03 AM

Hello,

you could use the search head clustering functionality from Splunk 6.2
you'll need at least Splunk ES 3.2.1 + latest Splunk + meet requirements for SHC (for example, at least 3 servers, 4 (2 on each site) in some failover scenarios)
This would also divide the load between the servers.
Depending on your context, you should discuss the adapted requirements for SHC + ES with Splunk.

0 Karma
Reply

PrinceOfEval
Path Finder
‎11-07-2014 08:12 AM

I'm curious if you've found an answer to this. I've had discussions about it but never implemented anything. As I understand, a major issue with having non-pooled ES search heads is that the notable index is prone to confusion. Also, they would both need to build their own data model summaries, which may cause performance issues with indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...