Deployment Architecture

Clustering queries

SplunkFu
Path Finder

Hi there,

We are currently looking at the using clustering to introduce redundancy/HA into the deployment. I have a few questions which I may have missed in the documentation...

  1. Is there a minimum number of peer nodes that can be used in a cluster? - we are looking at 2 nodes, are there any major restrictions to this setup?
  2. In the documentation it states that a reference server should suffice for the master node, however as it is not performing any indexing/searching does it require that much in specification?
  3. Any issues with using clustering with the ES App?
  4. Are there any issues in having a search head searching between clustered and non-clustered indexers/nodes?
  5. Finally, I didn't see any notes on how to calculate storage requirements for clustering. Any thoughts?

Thanks in advance, and I look forward to your help 🙂

Best regards...

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
  1. No, two indexer nodes is fine.
  2. You can and probably should use a much smaller server for the master node. It doesn't need anything near the storage or CPU of any indexer. Probably a dual-core machine with 2 or 4 GB of memory and no big storage is fine.
  3. There should not be, except that summaries/tsidxstats will not be stored on the cluster
  4. You can not do this. A search head can search many non-clustered nodes, or it can search many clusters, but it can't do both. It's probably worth making an Enhancement Request for this if you want it
  5. http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
  1. No, two indexer nodes is fine.
  2. You can and probably should use a much smaller server for the master node. It doesn't need anything near the storage or CPU of any indexer. Probably a dual-core machine with 2 or 4 GB of memory and no big storage is fine.
  3. There should not be, except that summaries/tsidxstats will not be stored on the cluster
  4. You can not do this. A search head can search many non-clustered nodes, or it can search many clusters, but it can't do both. It's probably worth making an Enhancement Request for this if you want it
  5. http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

SplunkFu
Path Finder

also... how do I submit an enhancement request... not done one before.

0 Karma

SplunkFu
Path Finder

Thanks for the response, very helpful... can't believe I missed that webpage.

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

I can help with a few of these:

Minimum number of peer nodes: Depends of course on your availability needs, but you can certainly set up a cluster with just two peer nodes.

Storage requirements: Many factors enter into it, but there's some pretty extensive documentation here: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Storage_considerations

SplunkFu
Path Finder

Ahh right, okay that's great thanks. Will do, thanks

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can submit a enhancement request by submitting a case here https://www.splunk.com/page/submit_issue and setting it to priority level P4.

0 Karma

SplunkFu
Path Finder

Thanks for the response... completely missed that documentation page... thought I clicked through them all. +1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...