Deployment Architecture

Clustering queries

SplunkFu
Path Finder

Hi there,

We are currently looking at the using clustering to introduce redundancy/HA into the deployment. I have a few questions which I may have missed in the documentation...

  1. Is there a minimum number of peer nodes that can be used in a cluster? - we are looking at 2 nodes, are there any major restrictions to this setup?
  2. In the documentation it states that a reference server should suffice for the master node, however as it is not performing any indexing/searching does it require that much in specification?
  3. Any issues with using clustering with the ES App?
  4. Are there any issues in having a search head searching between clustered and non-clustered indexers/nodes?
  5. Finally, I didn't see any notes on how to calculate storage requirements for clustering. Any thoughts?

Thanks in advance, and I look forward to your help 🙂

Best regards...

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
  1. No, two indexer nodes is fine.
  2. You can and probably should use a much smaller server for the master node. It doesn't need anything near the storage or CPU of any indexer. Probably a dual-core machine with 2 or 4 GB of memory and no big storage is fine.
  3. There should not be, except that summaries/tsidxstats will not be stored on the cluster
  4. You can not do this. A search head can search many non-clustered nodes, or it can search many clusters, but it can't do both. It's probably worth making an Enhancement Request for this if you want it
  5. http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
  1. No, two indexer nodes is fine.
  2. You can and probably should use a much smaller server for the master node. It doesn't need anything near the storage or CPU of any indexer. Probably a dual-core machine with 2 or 4 GB of memory and no big storage is fine.
  3. There should not be, except that summaries/tsidxstats will not be stored on the cluster
  4. You can not do this. A search head can search many non-clustered nodes, or it can search many clusters, but it can't do both. It's probably worth making an Enhancement Request for this if you want it
  5. http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

SplunkFu
Path Finder

also... how do I submit an enhancement request... not done one before.

0 Karma

SplunkFu
Path Finder

Thanks for the response, very helpful... can't believe I missed that webpage.

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

I can help with a few of these:

Minimum number of peer nodes: Depends of course on your availability needs, but you can certainly set up a cluster with just two peer nodes.

Storage requirements: Many factors enter into it, but there's some pretty extensive documentation here: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

SplunkFu
Path Finder

Ahh right, okay that's great thanks. Will do, thanks

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can submit a enhancement request by submitting a case here https://www.splunk.com/page/submit_issue and setting it to priority level P4.

0 Karma

SplunkFu
Path Finder

Thanks for the response... completely missed that documentation page... thought I clicked through them all. +1

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...