Deployment Architecture

Search Head Clustering (Minimum Nodes Required)

jspvkey
Explorer

Hi,
I am planning to create a Search Head Cluster using two Search Heads. Is this possible? I read somewhere that you need at least 3 nodes to create a Search Head Cluster. Is this true?

Thanks

1 Solution

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

View solution in original post

bandit
Motivator

This may be worth a try. I'm looking into it myself. https://github.com/mhassan2/splunk-n-box
In my case, I have two 32 core/128GB ram servers. It would make more sense to me to be able to scale on these hosts prior to purchasing additional hardware to form a search cluster. With Docker, I believe I could easily run 3+ splunk instances on each host, allowing me also to solve the issue of port conflicts for a common replication port for search head clustering.

Rob

0 Karma

gjanders
SplunkTrust
SplunkTrust

Splunk conf 2017 recording and slides for Splunk'n'box

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

hitesh_kanchan
Explorer

You can create a Search Head Cluster using two Search Heads but if one of the Search heads goes down, then it will act as independent search head and the scheduled searches will not work. We have configured the Search Head Cluster using two Search Heads.

0 Karma

anandhim
Path Finder

hitesh_kanchan, can the scheduled searches be made to work by assigning the second node as the static captain?

0 Karma

jimodonald
Contributor

Minimum of three nodes.

Copied from the Distributed Search Manual:
http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCsystemrequirements

Required number of instances
The cluster must contain at a minimum the number of members needed to fulfill both of these requirements:

  • Three members, so that the cluster can continue to function if one member goes down. See "Captain election process has deployment implications."
  • The replication factor number of instances. See "Choose the replication factor for the search head cluster."

For example, if your replication factor is either 2 or 3, you need at least three instances. If your replication factor is 5, you need at least five instances.

You can optionally add more members to boost search and user capacity.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!