Splunk® Validated Architectures

Splunk Validated Architectures

Distributed Clustered Deployment - Single Site (C1 / C11)

The following diagram represents a single site distributed clustered deployment topology:
This diagram shows a single site distributed clustered deployment topology.

Architecture overview

The Single Site Distributed Clustered Deployment topology introduces indexer clustering in conjunction with an appropriately configured data replication policy. It provides high availability of data in case of failure of the indexer peer node. To learn about indexer clustering, see About indexer clusters and index replication in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

The topology is suitable for one of the following situations:

  • Your daily data volume exceeds the capacity of a single-server deployment.
  • You require scalable highly available data ingest and data resiliency in the case of failure of a single indexer node.

The topology requires an additional Splunk component, called the cluster manager (CM), which is responsible for coordination and enforcement of the configured data replication policy. It also serves as the authoritative source for available cluster peers (indexers). By configuring the CM instead of individual search peers, you can simplify configuration of a search head.

Using the monitoring console (MC), you can monitor the health and capacity of your distributed deployment. Additionally, you are notified of unhealthy conditions in your deployment by a centralized alerting system that the MC provides.


The benefits of this topology include the following possibility:

  • To implement multiple independent search heads in support of availability and capacity requirements.
  • To simplify management by configuring the forwarding tier to discover available indexers via the CM.


The limitations of this topology include:

  • No high availability for the search tier.
  • No automatic disaster recovery (DR) capability in case of data center outage.
  • Limitations on the total cluster size, even though scalability is linear.
  • Dependency of the number of peer nodes that you deploy on the cluster replication factor and the indexing load. See Peer node in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
    • For example, if you have a replication factor of 3, it means that you intend to store three copies of your data and you need at least three peers.
  • A nondeterministic way of replicating data within the cluster. As a result, you can't control where requested copies of each event are stored.

To ensure the best experience, see Splunk Enterprise service limits and constraints in the Capacity Planning manual.

Additional considerations

When using the topology, you may find the following information helpful:

  • To learn about SmartStore deployment, see SmartStore system requirements in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
    • Customers deploying Splunk Enterprise on the cloud service providers, like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure, can leverage object store services for SmartStore implementation.
  • To learn about clustered architectures available in the C and M series of Splunk Validated Architectures (SVAs), see Splunk Validated Architectures chapter.
Last modified on 01 March, 2024
Single Server Deployment (S1)   Distributed Clustered Deployment with SHC - Single Site (C3 / C13)

This documentation applies to the following versions of Splunk® Validated Architectures: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters