Splunk® Validated Architectures

Splunk Validated Architectures

Distributed Non-Clustered Deployment (D1 / D11)

The following diagram represents a distributed non-clustered deployment topology:

This diagram shows a distributed non-clustered deployment topology.

Architecture overview

The Distributed Non-Clustered Deployment topology introduces multiple, independent indexers using which you can scale your indexing capacity and increase availability of data ingestion.

The topology is suitable in one of the following situations:

  • Your daily data volume exceeds the capacity of a single-server deployment.
  • You require scalable and highly available data ingestion.

Using the monitoring console (MC), you can monitor the health and capacity of your distributed deployment. Additionally, you are notified of unhealthy conditions in your deployment by a centralized alerting system that the MC provides.


The benefits of this topology include the following possibilities:

  • To scale to more than 1000 indexer nodes to support extremely high data ingestion and search volumes.
  • To maintain search performance across large datasets by executing parallel search across many indexers (MapReduce).
  • To predict increase in total cost of ownership (TCO) as it grows linearly when you add indexer nodes.


The limitations of this topology include the following:

  • No high availability for the search tier
  • Limited high availability and data redundancy for the indexing tier
  • If a node fails, possibility of getting incomplete search results for historic searches. No impact on data ingestion.
  • Necessity to explicitly configure the search head(s) with the list of available search peers, every time new indexers are added.
  • Necessity to configure the collection tier with the list of target indexers via a deployment server, every time new indexers are added.

Additional considerations

When using the topology, you may find the following information helpful:

  • To meet specific requirements, for example, to run some of Splunk premium apps that require dedicated search environments, deploy one or more independent search heads (SH) or search head clusters (SHCs).
  • To learn about clustered architectures available in the C and M series of Splunk Validated Architectures (SVAs), see the Splunk Validated Architectures chapter.
Last modified on 22 February, 2024
Distributed Clustered Deployment with SHC - Single Site (C3 / C13)   Distributed Clustered Deployment - Multisite (M2 / M12)

This documentation applies to the following versions of Splunk® Validated Architectures: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters