- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Do all server configurations need to be identical ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do all server configurations need to be identical for both indexer and search head clustering environments?
Hi Experts,
I have gone through the Capacity planning document and derived my Splunk server configurations based on the requirement.
I have two search heads and two indexers each in two sites with multisite indexer clustering and search head clustering. Total I have 4 search heads, 1 Search head deployer, 4 indexers, 1 masternode and 1 deployment server.
Somewhere I read in Splunk documentation that, for search head and indexer clustering environments, we should have all the server configurations be identical, but am not able to recollect the document name.
Can any one please confirm, whether we required all the server configurations identical if we are going with search head and indexer clustering?
With Regards,
Krishna Rajapantula.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is best practices to have all configurations in an IDX cluster the same; this is also the recommendation for SH clusters.
Index Cluster Deployment Overview may help, as may About Search Head Clustering.
Based on my own work with these two technologies, keeping slightly different indexer configurations seems possible, but I can't imagine any reason you'd want to, outside of migrating a legacy non-clustered indexer into a cluster. For search heads, I wouldn't even attempt such.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Miller for your response.
Also,
We have two search heads and two indexers each in search head & Index clustering with two sites. We have totally 4 search heads and 4 indexers, 1 masternode, 1 deployer and 1 deployment server as per our design.
We are planning to provision our servers in AWS cloud so we would like to know the Server configuration with which we have to go with for the below requirement.
Concurrent users: 25
Saved Searched: 15
Licensing model : 100GB/day
Site replication factor: origin:2, site1:1, total:3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So long as the AWS instances meet the minimum hardware requirements from Splunk, that configuration should easily handle 100GB, and still allow you to grow your license volume at least 2x, and possibly 3-4x assuming you are using forwarders to distribute to all the indexers in a given site or monitoring files. Using UDP or TCP listener on an indexer has a serious negative impact on performance. If you need to run such a listener, stand up a forwarder for it (HF or UF).
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
