Splunk Search

How to install multiple search heads

mehmettecer
Explorer

Hi guys,

I have a distributed splunk environment where I have 1 search head and 3 indexers.
I would like to install second search head for maintenance reasons, so when I need to do kernel or splunk updates on first search head, second search head is still available for users.

How can I accomplish this. ? Any links to an how to would be great too.

Thanks

0 Karma

Damien_Dallimor
Ultra Champion

Are you planning to use Search Head Pooling, optionally with both heads behind a load balancer so your users can transparently be failed over to another head (during maintenance) ?

This link has some good info.

A few key points :

-you'll need shared storage(ie: NAS) so the search heads can share the same etc/apps , etc/users directorys

-each head maintains its own etc/system directory

-enable pooling on each head (simple to do using the CLI)

-if using local users, the etc/passwd file must be maintained on each search head.I prefer using LDAP authentication.

-if using a load balancer and alerting , setup the load balancer host name as the alert link hostname.

dwaddle
SplunkTrust
SplunkTrust

The steps are pretty much the same for your 2nd/3rd/4th search heads. You will, however, want to make sure that you copy/replicate your config apps/bundles to the additional search head so they use the same field extractions, lookups and such.

0 Karma

mehmettecer
Explorer

Thanks for the link. I already saw this one.

I need to install my 2nd search head.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...