Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head Clustering : Preferred approach Odd number or Even number per site?

koshyk
Super Champion
‎01-15-2016 06:49 AM

folks,
We have two sites and we host 8 Search Heads (4 per site) all clustered with 16 indexers. We need to have a non-clustered SearchHead(SH) for sandbox purposes connected to same indexers

My colleague is suggesting its better to have an odd + even setup in SH (ie. 3x + 4y + 1 standalone) as SH captain works on odd/even configuration better. But my view is to have (4x + 4y + 1 standalone) for consistency and maintainability purposes. (ps: company can sponsor 2 SH's extra, budget is not the real problem)

Any suggestions on above?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎01-15-2016 07:21 AM

Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.1511/DistSearch/DeploymultisiteSHC#Important_conside...

If you want my personal opinion: go for 3 + 4. You only have 2 sites so this would be my preference. If you had 3 sites I would go for 9 Search Heads because majority is 5 and therefore you can afford losing one site completely.

Also isn't the Indexer-Search Head ratio a bit low? 2 indexers per Search Head is not too much. Is there any reason you need so many Search Heads in your deployment?
See this:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/Referencehardware#Ratio_of_indexers_to_se...
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/Summaryofperformancerecommendations

EDIT: your idea about the extra search head is good too. You could also use it for testing purposes or even as a staging server should you decided to get Enterprise Security.

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎01-15-2016 07:21 AM

Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.1511/DistSearch/DeploymultisiteSHC#Important_conside...

If you want my personal opinion: go for 3 + 4. You only have 2 sites so this would be my preference. If you had 3 sites I would go for 9 Search Heads because majority is 5 and therefore you can afford losing one site completely.

Also isn't the Indexer-Search Head ratio a bit low? 2 indexers per Search Head is not too much. Is there any reason you need so many Search Heads in your deployment?
See this:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/Referencehardware#Ratio_of_indexers_to_se...
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/Summaryofperformancerecommendations

EDIT: your idea about the extra search head is good too. You could also use it for testing purposes or even as a staging server should you decided to get Enterprise Security.

Reply
Solved! Jump to solution

koshyk
Super Champion
‎01-15-2016 01:26 PM

thanks for your input and links. voting up. (Will accept by end of this week, just wanted to see if any other opinion comes as well)

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎01-15-2016 01:39 PM

Another reason to go with 3+4 is that with 7 SH, the majority number is 4. With 8 SH, the majority number required will be 5, so you have to use 5 + 3 (+ 1 standalone) combination to allow primary site (with 5) to be available in case secondary site is down (and you loose your consistency point anyways).

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...