Monitoring Splunk

Multiple SearchHeads (one per DC) – How to take advantage of report acceleration data?

t9445
Path Finder

Hi, hoping this is a basic question, the lead-in is long, however the questions are brief.

We have Multiple Data-Centers (DCs), and have been advised not to use SearchHead poolling across DCs (Known issue due to latency concerns etc as we understand), however we need to provide local access to users geographically located near/within some specific DCs, as well as Disaster Recovery (DR) + Redundancy (e.g. if a DC is down, typically/hopefully for DR tests, the users can still access the SearchHead in other DCs).

Each of the SearchHeads is not aware of the other SearchHeads and forwards ALL data to their local DC indexers (e.g. no-splunk-data is stored locally). Additionally each SearchHead is aware of all indexers (so we can do complete infrastructure searches regardless of which SearchHead is being accessed by the user).
Using deployment-server we are populating our SearchHeads accordingly with various apps (essentially the SearchHeads with some minor exceptions are clones)

So, if we have a Splunk-application that by definition has report-acceleration enabled, and we deploy this application to all of our SearchHeads, I note that the "Summary ID" (in Manager > Report Acceleration) is the same across all SearchHeads.

  1. Is the associated Report Acceleration data duplicated since the report acceleration is enabled on each SearchHead (assume so, since the acceleration queries etc are running on each SearchHead)

  2. If we disable acceleration on all but one SearchHead within the apps, is there any way to enable the other SearchHeads to take advantage of the generated acceleration data from the one-SearchHead?

Yes, optimally we would be using SearchHead pooling, however X-DC is not recommended (at least currently as I understand), another possibility is summary indices instead, however would prefer to take advantage of report acceleration (and most importantly continue to keep all options open to our Splunk-users that are developing Splunk-apps)

Appreciate any inputs

thanks

-tom

0 Karma

jonuwz
Influencer

Unlike summary indexes, report acceleration summaries are not manually created indexes that reside on the search head but rather automatically-created data summaries that are stored alongside the buckets within ordinary indexes.

source

So

1) no - there is no duplication on the search heads, because thats not where the data is stored anyway.

2) Not applicable

0 Karma

t9445
Path Finder

(think I was unclear, apologies) , understood that the data is not on the SearchHeads, If the same accelerated reports (identical due to swr distribution) are installed on multiple autonomous SearchHeads, will the accelerated data be duplicated (on the indexers)? In subsequent testing it appears so, is there anyway to have it so one SearchHead (cannot use SearchHead pooling due to our environment, X-DC) can generate the relevant accelerated data and the other SearchHeads take advantage of that data (since it is available to them on the indexers -- all indexers known by all SearchHeads)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...