- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to set up a search head and indexer clustering...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up a search head and indexer clustering from a standalone setup?
Hi,
My current Splunk setup is
1- stand alone search
1 - master node
3 - indexer(clustering)
Future Splunk setup
3- search head (clustering)
1- master node
3 - indexer (clustering)
I would like to implement clustering setup for search head. i need your opinion to do this without affecting the service. If there is any wiki please let me know. thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you going towards SHC? You should only do this if you need more concurrent search capability. SHC is NOT a DR/HA solution (it actually makes it less stable).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks for the update. the reason why i want to go for this setup is that, when many people start searching for the data , it will create the lot of load on search node. am i right? is this how splunk work ? sorry i am new to the splunk. i am not sure whether the load create on search node or indexer.
http://docs.splunk.com/Documentation/Splunk/6.2.0/DistSearch/SHCarchitecture
i am looking for the similar setup. my main concern is load on search node. If i want to do the setup like above, will it be stable ? is there any difficulty i will face ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
first of all, take a look at the documentation here.
- Make yourself familiar with the differences between standalone and clustered environments: http://docs.splunk.com/Documentation/Splunk/6.5.3/Indexer/Keydifferences
- Read this: https://docs.splunk.com/Documentation/Splunk/6.5.3/Indexer/Migratenon-clusteredindexerstoaclusterede...
- And this: https://docs.splunk.com/Documentation/Splunk/6.6.1/DistSearch/Migratefromstandalonesearchheads
Basically, what you want to do, is, enabling your master for all the servers in the configuration files (described in the documentation). Additionally, you will need a deployer (can be ran on the server where the master is hosted). The deployer will manage the Search Head cluster. After setting up master and deployer accordingly, you will then create the indexer cluster.
Please note that it's not possible to migrate your current buckets into clustered (replicated) buckets on your own. Atleast it's not recommended to do so.
After succesfully setting up the Indexer cluster, you will proceed with the Search Head cluster.
Done.
Skalli
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
