Deployment Architecture

Search Head Cluster - Hardware considerations

leefernan
Explorer

Hello Everyone,

I have an environment which has an index cluster and three search heads that are currently looking for data in this cluster. 

I want to create a SH cluster with this three search heads, but the hardware specifications between  them are different:

-SH1 40 Cores 128GB Ram, (Chosen as captain)

-SH2 24 Cores 64GB Ram, (Member)

-SH3 24 Cores 64GB Ram, (Member)

The Splunk documentation specifies that "Use identical specifications for all members (bare metal or VM)" 

What would be the impact or implications to deploy a search cluster with this servers different  in Hardware Specifications? 

The captain will use only just 24 cores and  64gb ram as the other cluster members? 

Or the captain will assume every server has the same hardware capabilities as him?  As the following text suggest: 


"Splunk recommends that you use homogeneous machines with identical hardware specifications for all cluster members. The reason is that the  cluster captain assigns scheduled jobs to members based on their current job loads. When it does this, it does not have insight into the actual processing power of each member's machine. Instead, it assumes that each machine is provisioned equally."

I will appreciate your knowledge, thoughts and recommendations. 

Thanks in advance. 

 

1 Solution

richgalloway
SplunkTrust
SplunkTrust

The SHC captain assumes all nodes are the same as itself.  That means it could give each member 46 searches (# CPUs + 6) when they can support only 30.  Search performance likely will suffer.

BTW, the cluster typically chooses its own captain, which means SH2 or SH3 could become captain and assume SH1 only supports 30 searches.  It that case, some resources are wasted.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The SHC captain assumes all nodes are the same as itself.  That means it could give each member 46 searches (# CPUs + 6) when they can support only 30.  Search performance likely will suffer.

BTW, the cluster typically chooses its own captain, which means SH2 or SH3 could become captain and assume SH1 only supports 30 searches.  It that case, some resources are wasted.

---
If this reply helps you, Karma would be appreciated.

leefernan
Explorer

 I suspected that. It's nice to have a confirmation. Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...