Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple Search Heads in a Cluster

hvandenb
Path Finder
‎03-05-2014 09:33 AM

We're setting up an Index Cluster with a Master Node. From the documentation it looks like the Cluster will take care of replicating data and configuration between the Indexers. However, we're also wanting to have multiple search heads that work with the cluster.

What have people used to setup the search heads behind a load balancer. Do we need to use shared storage for the search heads or is there better configuration?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-05-2014 12:02 PM

you're looking for search head pooling: http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Configuresearchheadpooling

0 Karma
Reply
Solved! Jump to solution

hvandenb
Path Finder
‎03-06-2014 11:30 AM

I remember seeing a press on conf2013 about this as well. Basically, only the knowledge items need to be shared on the search heads.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-06-2014 10:05 AM

@gkanapathy did mention something similar to that in his Architecting for Scale talk at .conf 2012, maybe he can shed some light on viable alternatives to search head pooling.

0 Karma
Reply
Solved! Jump to solution

hvandenb
Path Finder
‎03-06-2014 08:11 AM

Thanks for the answer. I'd like to avoid using shared storage as this adds complexity. I heard that some folks rsync knowledge bundles between search heads. We don't plan on running scheduled searches on the search heads, but rather have a separate server for that.
Have you seen this as an option?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...