What started as a plan to stand up a new/additional VM Search Head dedicated to a specific department in IT has turned into a possible first attempt at Search Head clustering.
In trying to segregate field extractions, dashboards, etc., I was going to stand up a virtual SH specifically for the use of one department at our company. Additionally, I thought that separate SH's might lesson the workload on Splunk, at least at the SH level, but the further I go learning how to implement my plan, the more I'm wondering if we'll actually be creating more workload on the Indexers.
To the questions:
1. Will two dedicated, non-clustered, Search Heads have a positive or negative impact on overall Splunk resources, mainly SH and IDX performance, and has anyone successfully implemented this layout, and do they recommend it?
2. If two stand-alone SH's is not the solution, and instead I just need to better learn how to implement roles to isolate extractions/dashboards and the like on my existing deployment, then is clustering a Virtual SH with a Physical SH acceptable? At this point the VM has lower CPU/RAM than the physical. The department it was originally meant for will likely not need as much power as the primary/physical SH, but being a VM resources can be increased.
Thanks in advance for your time/thoughts on the matter!
... View more