Splunk® Validated Architectures

Splunk Validated Architectures

Distributed Clustered Deployment with SHC - Single Site (C3 / C13)

The following diagram represents a single site distributed clustered deployment with a search head cluster (SHC) topology: This diagram shows a single site distributed clustered deployment with a search head cluster topology.

Architecture overview

The Single Site Distributed Clustered Deployment with a Search Head Cluster (SHC) topology uses clustering to add horizontal scalability and removes the single point of failure from the search tier.

There are no high availability (HA) requirements, that is, no runtime role, for the search head cluster deployer.

Note the following:

  • To implement an SHC, you need at least three search heads.
  • To deploy configuration files in the cluster, use a separate search head cluster deployer for each SHC.
    • There are no high availability (HA) requirements, that is, no runtime role, for the search head cluster deployer.
  • To make sure that users remain on a single search head throughout their session, use a third-party network load-balancer that supports sticky sessions in front of the SHC members. To learn about the network load-balancer, see Use a load balancer with search head clustering in the Splunk Enterprise Distributed Search manual.

Benefits

The benefits of this topology include the following:

  • Increase in available search capacity beyond what a single search head can provide
  • Distribution of scheduled search workload across the cluster
  • Optimal user failover if a search head fails.

Limitations

The limitation of this topology is the lack of a disaster recovery (DR) capability if a site outage occurs.

To ensure the best experience, see Splunk Enterprise service limits and constraints in the Splunk Enterprise Capacity Planning manual.

Additional considerations

When using the topology, you may find the following information helpful:

  • Customers deploying Splunk Enterprise on cloud service providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure can leverage object store services for SmartStore implementation. See SmartStore system requirements in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
  • To monitor the health of your Splunk environment, deploy the monitoring console (MC).
  • To meet specific requirements, for example to run some of the Splunk premium applications that require dedicated search environments, deploy one or more independent SHCs.
  • If you are a Splunk Enterprise Security (ES) customer and your category code is C13 which means that you intend to deploy the Splunk Enterprise Security app, use a dedicated SHC to deploy the app. The search tier can contain clustered and non-clustered search heads depending on your capacity and organizational needs. The topology diagram doesn't show it.
  • Customers considering deployment of Enterprise Security (ES) in a C13 category code should review the guidance for installation of ES in search head cluster environments. Splunk strongly recommends engaging with Splunk Professional Services when deploying ES in a HA/DR environment. See Install Splunk Enterprise Security in a search head cluster environment in the Splunk Enterprise Security Install and Upgrade Splunk Enterprise Security manual.
Last modified on 28 June, 2024
Distributed Non-Clustered Deployment (D1 / D11)   Distributed Clustered Deployment - Multisite (M2 / M12)

This documentation applies to the following versions of Splunk® Validated Architectures: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters