Brief description:
We have 2 large physical machines we would like to use for our new Splunk Enterprise implementation.
My question is: Can each machine be both a search head cluster member and an indexer cluster member? I would like to have redundancy for both Search Heads and Indexers. I have read the documentation but may be missing the information.
Thanks in advance,
Given what hardware you have, you could build a two-member indexer cluster with the physical machines as peers, a virtual master (can be small), three virtual SHC members (as big as you can get), and a virtual SHC deployer (can be small).
From there you could add physical machines to the SHC later once you have the boxes.
Short answer: No. They must reside on their own virtual or physical machines, as must all the other nodes in the clusters.
In an indexer cluster, each node must reside on its own physical or virtual machine. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Systemrequirements#Machine_requirements
This is also true for search head cluster members. See http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/SHCsystemrequirements#Machine_requireme...
And the deployer for the SHC cannot be a member, and the CM for the index cluster cannot be a member. Short answer is you need more systems. Depending on your data and search usage you are going to have tears from CPU, RAM and iOPS contention trying to subdivide just two physical machines.
Ultimately I wanted to have something like this:
2 Physical machines each acting as Search Head Cluster Members and individual indexers (not clustered)
1 VM acting as Deployer and Deployment Server
From what I read you can have a search head cluster with only 2 members, just not recommended in case 1 goes down.
The minimum member count for a SHC is three.
Looks like I am stuck with a Search Head/Indexer and Indexer configuration.
Would love to build more but availability of more large physical machines is zero. I am stuck with VM's for any new members.
Having read this:
With two physical machines I should be able to run a Search Head Cluster and non-clustered search peers on each server, correct? (assuming I build a smaller VM as a deployer)
I am currently running each machine as a search head and indexer but would like to use both machines as part of the same environment.
Any recommendations/corrections are welcome.
Thanks in advance.