Deployment Architecture

Search Head Pooling Replicate Bundle

ephemeric
Contributor

Greetz,

Must one use mounted bundles with search head pooling?

I would like to enable search head pooling with minimal effort to start testing in a production environment.

So, can we use 4.2.3 with asynchronous bundle replication with search head pooling and "upgrade" to mounted bundles at a later stage?

Thanks.

1 Solution

ewoo
Splunk Employee
Splunk Employee

You do not need to use mounted bundles with search head pooling. You can rely on bundle replication to copy configurations from your search heads to your indexers.

You can upgrade to mounted bundles at a later stage.

View solution in original post

ewoo
Splunk Employee
Splunk Employee

You do not need to use mounted bundles with search head pooling. You can rely on bundle replication to copy configurations from your search heads to your indexers.

You can upgrade to mounted bundles at a later stage.

ewoo
Splunk Employee
Splunk Employee

Whether or not your see bundles per-search-head or per-pool depends on the version of Splunk on your search heads. In 4.3.x and earlier, each search head replicates its own bundles by default. In 5.0 and higher, search heads send bundles on a per-pool basis -- see the "useSHPBundleReplication" setting in distsearch.conf.

In other words, the default behavior before 5.0 is to replicate bundles by serverName. In 5.0 and later, the default behavior is to replicate by search head pool GUID.

0 Karma

rtadams89
Contributor

I don't think this is correct. The pool should only send one bundle. If you look on your indexer, you'll see the bundles identified by the search pool GUID instead of the server names of the individual search heads in the pool.

0 Karma

ewoo
Splunk Employee
Splunk Employee

Correct -- with 2 heads in a pool and no mounted bundles, each search head sends a copy of the bundles.

dhaffner
Path Finder

Does this mean that, for example, with 2 search heads in a pool, and no mounted bundles, each search head will send it's own bundle? Or will there be only one bundle that gets sent out to the peers?

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...