About search head clustering - Splunk Documentation (original) (raw)

Splunk® Enterprise

Distributed Search

1. Documentation
2. Splunk® Enterprise
3. Distributed Search
4. About search head clustering

A search head cluster is a group of Splunk Enterprise search heads that serves as a central resource for searching. The members of a search head cluster are essentially interchangeable. You can run the same searches, view the same dashboards, and access the same search results from any member of the cluster.

To achieve this interchangeability, the search heads in the cluster must share configurations and apps, search artifacts, and job scheduling. Search head clusters automatically propagate most of these shared resources among the members.

Benefits of a search head cluster

Search head clusters provide these key benefits:

• Horizontal scaling. As the number of users and the search load increases, you can add new search heads to the cluster. By combining a search head cluster with a third-party load balancer placed between users and the cluster, the topology can be transparent to the users.
• High availability. If a search head goes down, you can run the same set of searches and access the same set of search results from any other search head in the cluster.
• No single point of failure. The search head cluster uses a dynamic captain to manage the cluster. If the captain goes down, another member automatically takes over management of the cluster.

Cluster architecture

A search head cluster consists of a group of networked search heads, called cluster members. One cluster member, the captain, coordinates all cluster-wide activities. If the member serving as captain goes down, another member takes its place.

The members share:

• Job scheduling. The cluster manages job scheduling centrally, allocating each scheduled search to the optimal member, usually the member with the least load.
• Search artifacts. The cluster replicates search artifacts and makes them available to all members.
• Configurations. The cluster requires that all members share the same set of configurations. For runtime updates to knowledge objects, such as updates to dashboards or reports, the cluster replicates configurations automatically to all members. For apps and some other configurations, the user must push configurations to the cluster members by means of the deployer, a Splunk Enterprise instance that resides outside the cluster.

See "Search head clustering architecture."

How to set up the cluster

You set up a cluster by configuring and deploying the cluster's search heads. The process is similar to how you set up search heads in any distributed search environment. The main difference is that you also need to configure the search heads as cluster members.

See the chapter "Deploy search head clustering".

How the user accesses the cluster

Users access the cluster the same way that they access any search head. They point their browser at any search head that is a member of the cluster. Because cluster members share jobs, search artifacts, and configurations, it does not matter which search head a user accesses. The user has access to the same set of dashboards, searches, and so on.

To achieve the goals of high availability and load balancing, Splunk recommends that you put a load balancer in front of the cluster. That way, the load balancer can assign the user to any search head in the cluster and balance the user load across the cluster members. If one search head goes down, the load balancer can reassign the user to any remaining search head.

Search head clusters and indexer clusters

Search head clusters are different from indexer clusters. The primary purpose of indexer clusters is to provide highly available data through coordinated groups of indexers. Indexer clusters always include one or more associated search heads to access the data on the indexers. These search heads might be, but are not necessarily, members of a search head cluster.

For information on search heads in indexer clusters, see the chapter "Configure the search head" in the Managing Indexers and Clusters of Indexers manual.

For information on adding a search head cluster to an indexer cluster, see the topic "Integrate the search head cluster with an indexer cluster" in this manual.

| | Supported commands for parallel reduce search processing | | Search head clustering architecture | | | ------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------- | | ----------------------------------------------------------------------------------------------- | ----------------------------------------------------------- |

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2