Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Which instance should host the console?

This topic is a step in the process of setting up the monitoring console for a distributed Splunk Enterprise deployment.

To start, determine which instance will best host the monitoring console. You have several options for where to host the monitoring console, depending on the nature of your deployment:

  • The instance you choose must meet or exceed the search head reference hardware requirements. See Reference hardware in the Capacity Planning Manual.
  • For security and performance reasons, only Splunk Enterprise administrators should have access to this instance.
  • The instance hosting the monitoring console must not run any searches unrelated to its function as monitoring console. The exception to this rule is if you are using the console to monitor a standalone single-instance deployment.

This table outlines the recommended locations for the monitoring console, based on deployment type.

Distributed mode? Indexer clustering? Search head clustering? Recommended locations
No N/A N/A The standalone instance.
Yes No No The license master or a deployment server servicing a small number (<50) of clients. Otherwise, run the monitoring console on a search head that is dedicated to running monitoring console searches.
Yes Single indexer cluster Not relevant The master node, if the load on the master node is below the limits specified in Additional roles for the master node in the Managing Indexers and Clusters of Indexers manual. Otherwise, run the monitoring console on a search head node that is dedicated to running monitoring console searches.
Yes Multiple indexer clusters Not relevant A search head that is configured as a search head node across all the clusters. This search head must be dedicated to monitoring console use.
Yes No Yes The search head cluster deployer, a license master, or a standalone search head that is dedicated to running monitoring console searches. Do not run the monitoring console on a search head cluster member.

For a general discussion of management component colocation, see Components that help to manage your deployment in the Distributed Deployment Manual.

See the sections that follow for detailed information for certain deployment types.

In a non-clustered deployment

You can locate the monitoring console on any of these instances:

  • A license master
  • A deployment server that is servicing a small number (<50) of clients
  • A dedicated search head

In a deployment with a single indexer cluster

In a single indexer cluster, you can host the monitoring console on the instance running the master node if the load on the master node is below the limits specified in Additional roles for the master node in the Managing Indexers and Clusters of Indexers manual.

You can also host the monitoring console on a search head node in the cluster, but you must dedicate the node to monitoring console searches. You cannot use the search head to run any other searches.

In a deployment with multiple indexer clusters

If your deployment has multiple indexer clusters, host the monitoring console on a dedicated search head configured as a search head node on each indexer cluster. Do not use this search head to run any non-monitoring console searches.

To do this:

1. Configure a search head to serve as a node on each of the indexer clusters. See Search across multiple indexer clusters in the Managing Indexers and Clusters of Indexers manual. This is your monitoring console instance.

2. Configure each master node and all search head nodes in the clusters as search peers of the monitoring console instance. See Add instances as search peers in this manual.

Do not configure the cluster peer nodes (indexers) as search peers to the monitoring console node. As nodes in the indexer clusters, they are already known to all search head nodes in their cluster, including the monitoring console node.

In a deployment with a search head cluster but without an indexer cluster

You can locate the monitoring console on any of these instances:

  • A search head cluster deployer
  • A license master
  • A standalone, dedicated search head

Do not run the monitoring console on a search head cluster member.

The Monitoring Console is not supported for search head pooling deployments. Search head pooling was first deprecated in Splunk Enterprise 6.2.0 and the functionality is removed from Splunk Enterprise 8.0.0 and higher.

Why not to host the console on a production search head

Do not configure the monitoring console on an existing production search head that is already in use for the following reasons:

  • Non-monitoring console searches that run on this search head might have incomplete results. The monitoring console distributed search groups modify default search behavior to ensure that the searches for the monitoring console dashboards are narrowly scoped to the list of search peers that they target. When you set up the monitoring console in distributed mode, it creates one search group for each server role, identified cluster, or custom group. Unless you use a "splunk_server_group" or the "splunk_server" option, only search peers that are members of the indexer group are searched by default. Because all searches that run on the monitoring console instance follow this behavior, non-monitoring console searches might have incomplete results.
  • All production search heads should be monitored for performance, and the monitoring console affects the performance of the search head that hosts it. It can be difficult to disentangle monitoring console resource usage from production resource usage on the same instance.

The monitoring console and deployment server

In most cases, you cannot host the distributed monitoring console on a deployment server. The exception is if the deployment server handles only a small number of deployment clients, no more than 50. The monitoring console and deployment server functionalities can interfere with each other at larger client counts. See Deployment server provisioning in the Updating Splunk Enterprise Instances manual.


Next step

To continue setting up the monitoring console in distributed mode, make sure your deployment meets the prerequisites. See Monitoring Console setup prerequisites.

Last modified on 27 April, 2020
Single-instance Monitoring Console setup steps   Monitoring Console setup prerequisites

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters