Splunk Enterprise

Multiple search head cluster connected to single Indexer cluster

impurush
Contributor

Hi Everyone,

Basically, we have an indexer cluster where multiple search head clusters are connected.
I do not know the exact term but I would like to see the performance/usage of each shcluster. The only place I am able to see all the search head is connected to the cluster master where I have access to see the details. I do not have any other details in my DMC which related to other shclusters.

Thanks,
Purush

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
I’m not sure what is your question, but you could use CM as MC if it’s enough big and you haven’t too many nodes on those SHCs. But probably the best solution is add one dedicated SH for MC.
r. Ismo
0 Karma

impurush
Contributor

Let me explain in detail.

I am the owner of an indexer cluster and search head cluster for my environment.
From other teams, they want to connect and see our data, hence I gave my cluster master details to them.
The other teams connected their search head using my cluster master details.

If my understanding is correct, the searches happen in the Indexer and return the results to the Search head.

With DMC, I am able to see my Indexer performance and searches usage but I want to know whether/what is the impact or usage of other search head cluster to my indexer. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Then it’s enough to add your own SHC as peers to your MC/CM. But you must remember that when other SHCs have connected to your cluster, then they have almost full control of your data! The could define who can see what and even delete events from your cluster.
r. Ismo

impurush
Contributor

Thanks for the great point you have given about the access.

I did not understand your answer to my question. How can I see what other search head clusters are doing with my indexer cluster and is there any way to control the search head cluster using Cluster master because I have access to Indexer cluster, my search head cluster, and the cluster master whereas I don't have visibility to other search head cluster.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
I think that you want to see how they are generating load to your cluster. That you could see directly from your indexer peer side. Use search menus on mc and select indexer side instead of search head (I try to recall those names as I haven’t splunk on my hands now). But if you want to see also what is happening on SHC side, then you must add those under settings - distributed search as search peer. Then add those in mc setting and add those as search head and if needed create your own custom groups for them.

impurush
Contributor

Thank you @isoutamo . I am working on that and will accept the answer as soon as I get where I want.

Thanks once again for really valuable points which I did not realize to be noted when we are sharing the cluster with different teams.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...