Solved: Can a search head cluster search across several in...

maclemes · ‎01-21-2016

Here are my requirements:
- storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)
- searching across all sites

My current design is the following:
- 3 completely independent index clusters in different sites with no replication between them
- 1 search head cluster (with a load balancer in front), that would use the 3 indexer clusters as its search peers

Is that even possible?
I think I understood that a single search head can search across several indexer clusters, but I am not entirely sure the search head cluster allows for that.

Also, do I need to add a search head inside each indexer cluster to make this whole system to work? Or should I only do that if I want each indexer cluster to be searchable on its own?

Raschko · ‎01-21-2016

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

View solution in original post

javiergn · ‎01-21-2016

Regarding the following requirement:

storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created)

The moment you give all the members in your search head cluster the ability to search across all your indexer clusters, that requirement might be difficult to meet unless you place all your search head cluster members in one site.
Keep in mind your data might be store in one place but the moment you search it from your search head, the data is already there, on that particular search head.

It is not a easy requirement to meet if there are legal implications around it. Another approach would be to use a Heavy Forwarder and allow local indexing and searching there. Then using the indexAndForward flag, index your country-specific data there and forward the non-specific one to the next hop.

An easier approach would be to join your individual search heads with the relevant indexer cluster and configure them to search only there, but that would be against your second requirement.

Hope that helps

maclemes · ‎01-21-2016

Thank you so much giving me more feedback on the requirement, it really helps. I will take this point into further consideration.

Raschko · ‎01-21-2016

Sure, search across multisite multi-cluster is possible. You will only need one Searchhead.

There's a good doc about it, please have a look at

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configuremulti-clustersearch

maclemes · ‎01-21-2016

You will only need one Searchhead

Do you mean that using a searchhead cluster to go through all my indexer clusters data is useless?

claudio_manig · ‎03-28-2018

Still an issue on 7.03 SearchHeads, thanks for that, saved a lot of time!

Raschko · ‎01-21-2016

No, of course not. I was just answering your question whether you need a searchhead for each indexer cluster.

With a searchhead cluster, the configuration will work the same way. You need to configure each cluster master on each searchhead.

Another doc:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/SHCandindexercluster

maclemes · ‎01-21-2016

Thank you so much!

Can a search head cluster search across several indexer clusters?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes