- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Master and Search Head together?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to configure Master and Search head together in one spunk instance? If it is, what should I take note of?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per splunk documentation,
A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer.
Additional roles for the master node
As a general rule, you should dedicate the Splunk Enterprise instance running the master node to that single purpose. Under limited circumstances, however, the master instance can also fulfill certain other lightweight functions:
You can use the master's built-in search head for debugging purposes.
You might be able to run a search head cluster deployer on the master, depending on the master's load.
You might be able to run a distributed management console on the master instance, depending on the master's load.
To run a deployer or a distributed management console on the master, the master's cluster should stay below the following limits:
30 indexers
100,000 buckets
10 indexes
10 search heads
Reference : http://docs.splunk.com/Documentation/Splunk/6.3.2/Indexer/Enablethemasternode
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per splunk documentation,
A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single indexer cluster role. In addition, the master cannot share a machine with a peer.
Additional roles for the master node
As a general rule, you should dedicate the Splunk Enterprise instance running the master node to that single purpose. Under limited circumstances, however, the master instance can also fulfill certain other lightweight functions:
You can use the master's built-in search head for debugging purposes.
You might be able to run a search head cluster deployer on the master, depending on the master's load.
You might be able to run a distributed management console on the master instance, depending on the master's load.
To run a deployer or a distributed management console on the master, the master's cluster should stay below the following limits:
30 indexers
100,000 buckets
10 indexes
10 search heads
Reference : http://docs.splunk.com/Documentation/Splunk/6.3.2/Indexer/Enablethemasternode
What goes around comes around. If it helps, hit it with Karma 🙂
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
