- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Search Head Clustering : Preferred approach Odd nu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
folks,
We have two sites and we host 8 Search Heads (4 per site) all clustered with 16 indexers. We need to have a non-clustered SearchHead(SH) for sandbox purposes connected to same indexers
My colleague is suggesting its better to have an odd + even setup in SH (ie. 3x + 4y + 1 standalone) as SH captain works on odd/even configuration better. But my view is to have (4x + 4y + 1 standalone) for consistency and maintainability purposes. (ps: company can sponsor 2 SH's extra, budget is not the real problem)
Any suggestions on above?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at this:
If you want my personal opinion: go for 3 + 4. You only have 2 sites so this would be my preference. If you had 3 sites I would go for 9 Search Heads because majority is 5 and therefore you can afford losing one site completely.
Also isn't the Indexer-Search Head ratio a bit low? 2 indexers per Search Head is not too much. Is there any reason you need so many Search Heads in your deployment?
See this:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/Referencehardware#Ratio_of_indexers_to_se...
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/Summaryofperformancerecommendations
EDIT: your idea about the extra search head is good too. You could also use it for testing purposes or even as a staging server should you decided to get Enterprise Security.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at this:
If you want my personal opinion: go for 3 + 4. You only have 2 sites so this would be my preference. If you had 3 sites I would go for 9 Search Heads because majority is 5 and therefore you can afford losing one site completely.
Also isn't the Indexer-Search Head ratio a bit low? 2 indexers per Search Head is not too much. Is there any reason you need so many Search Heads in your deployment?
See this:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Capacity/Referencehardware#Ratio_of_indexers_to_se...
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/Summaryofperformancerecommendations
EDIT: your idea about the extra search head is good too. You could also use it for testing purposes or even as a staging server should you decided to get Enterprise Security.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your input and links. voting up. (Will accept by end of this week, just wanted to see if any other opinion comes as well)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another reason to go with 3+4 is that with 7 SH, the majority number is 4. With 8 SH, the majority number required will be 5, so you have to use 5 + 3 (+ 1 standalone) combination to allow primary site (with 5) to be available in case secondary site is down (and you loose your consistency point anyways).
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
