Monitoring Splunk

search heads to search head cluster

sravankaripe
Communicator

Hi

In my company we are have 8 Search heads.

we want to change it into search head cluster.

what all the configuration i need to change please help me with this.

Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

This is bit elaborative process and would require a Splunk admin who is well versed in SH clustering (or request for Professional services)

  1. You need to have a deployer (seperate Splunk instance)
  2. You need to have an odd number of SH members (So out of 8, discard 1 and make it 7)
  3. If you have sites, ensure one site has 4 and other have 3
  4. Config requirements like SH factor, security key
  5. You need to have pre-reqs like "indexer" versions should be same or lower than SH members etc. https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Splunk_Enterprise_ver...
  6. There is quite set of understanding to do from this link https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/SHCdeploymentoverview

View solution in original post

koshyk
Super Champion

This is bit elaborative process and would require a Splunk admin who is well versed in SH clustering (or request for Professional services)

  1. You need to have a deployer (seperate Splunk instance)
  2. You need to have an odd number of SH members (So out of 8, discard 1 and make it 7)
  3. If you have sites, ensure one site has 4 and other have 3
  4. Config requirements like SH factor, security key
  5. You need to have pre-reqs like "indexer" versions should be same or lower than SH members etc. https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Splunk_Enterprise_ver...
  6. There is quite set of understanding to do from this link https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/SHCdeploymentoverview

woodcock
Esteemed Legend

Unless you have way too many search heads, I would add one to make it odd 9 (instead of reduce 1), because being part of a Search Head Cluster adds overhead that will make the capacity of each one a little bit less.

0 Karma

ansif
Motivator
0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...