Splunk Enterprise

Multiple search head cluster connected to single Indexer cluster

Communicator

Hi Everyone,

Basically, we have an indexer cluster where multiple search head clusters are connected.
I do not know the exact term but I would like to see the performance/usage of each shcluster. The only place I am able to see all the search head is connected to the cluster master where I have access to see the details. I do not have any other details in my DMC which related to other shclusters.

Thanks,
Purush

Labels (1)
0 Karma

SplunkTrust
SplunkTrust
Hi
I’m not sure what is your question, but you could use CM as MC if it’s enough big and you haven’t too many nodes on those SHCs. But probably the best solution is add one dedicated SH for MC.
r. Ismo
0 Karma

Communicator

Let me explain in detail.

I am the owner of an indexer cluster and search head cluster for my environment.
From other teams, they want to connect and see our data, hence I gave my cluster master details to them.
The other teams connected their search head using my cluster master details.

If my understanding is correct, the searches happen in the Indexer and return the results to the Search head.

With DMC, I am able to see my Indexer performance and searches usage but I want to know whether/what is the impact or usage of other search head cluster to my indexer. 

0 Karma

SplunkTrust
SplunkTrust
Then it’s enough to add your own SHC as peers to your MC/CM. But you must remember that when other SHCs have connected to your cluster, then they have almost full control of your data! The could define who can see what and even delete events from your cluster.
r. Ismo

Communicator

Thanks for the great point you have given about the access.

I did not understand your answer to my question. How can I see what other search head clusters are doing with my indexer cluster and is there any way to control the search head cluster using Cluster master because I have access to Indexer cluster, my search head cluster, and the cluster master whereas I don't have visibility to other search head cluster.

0 Karma

SplunkTrust
SplunkTrust
I think that you want to see how they are generating load to your cluster. That you could see directly from your indexer peer side. Use search menus on mc and select indexer side instead of search head (I try to recall those names as I haven’t splunk on my hands now). But if you want to see also what is happening on SHC side, then you must add those under settings - distributed search as search peer. Then add those in mc setting and add those as search head and if needed create your own custom groups for them.

Communicator

Thank you @soutamo . I am working on that and will accept the answer as soon as I get where I want.

Thanks once again for really valuable points which I did not realize to be noted when we are sharing the cluster with different teams.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!