Splunk® Validated Architectures

Splunk Validated Architectures

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Distributed Clustered Deployment with SHC - Single Site (C3 / C13)

The following diagram represents a single site distributed clustered deployment with a search head cluster (SHC) topology: This diagram shows a single site distributed clustered deployment with a search head cluster topology.

Architecture overview

The Single Site Distributed Clustered Deployment with a Search Head Cluster (SHC) topology uses clustering to add horizontal scalability and removes the single point of failure from the search tier.

There are no high availability (HA) requirements, that is, no runtime role, for the search head cluster deployer.

Note the following:

  • To implement an SHC, you need at least three search heads.
  • To deploy configuration files in the cluster, use a separate search head cluster deployer for each SHC.
    • There are no high availability (HA) requirements, that is, no runtime role, for the search head cluster deployer.
  • To make sure that users remain on a single search head throughout their session, use a third-party network load-balancer that supports sticky sessions in front of the SHC members. To learn about the network load-balancer, see Use a load balancer with search head clustering in the Splunk Enterprise Distributed Search manual.

Benefits

The benefits of this topology include the following:

  • Increase in available search capacity beyond what a single search head can provide
  • Distribution of scheduled search workload across the cluster
  • Optimal user failover if a search head fails.

Limitations

The limitation of this topology is the lack of a disaster recovery (DR) capability if a site outage occurs.

To ensure the best experience, see Splunk Enterprise service limits and constraints in the Splunk Enterprise Capacity Planning manual.

Additional considerations

When using the topology, you may find the following information helpful:

  • To learn about SmartStore deployment, see SmartStore system requirements in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
    • Customers deploying Splunk Enterprise on the cloud service providers, like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure, can leverage object store services for SmartStore implementation.
  • To monitor the health of your Splunk environment, deploy the monitoring console (MC).
  • To meet specific requirements, for example to run some of the Splunk premium applications that require dedicated search environments, deploy one or more independent SHCs.
  • If you are a Splunk Enterprise Security (ES) customer and your category code is C13 which means that you intend to deploy the Splunk Enterprise Security app, use a dedicated SHC to deploy the app. The search tier can contain clustered and non-clustered search heads depending on your capacity and organizational needs. The topology diagram doesn't show it.
Last modified on 04 March, 2024
PREVIOUS
Distributed Clustered Deployment - Single Site (C1 / C11) 		  NEXT
Distributed Non-Clustered Deployment (D1 / D11)

This documentation applies to the following versions of Splunk® Validated Architectures: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters