Splunk® Validated Architectures

Splunk Validated Architectures

AWS BYOL high availability

Initial publication: June 26, 2024
Last reviewed: June 7, 2024

AWS offers a broad cloud computing platform with high availability and service at scale. Splunk administrators can take advantage of the flexibility of AWS to modify, scale, and migrate their deployment on demand and as their business requirements change. Splunk uses the term BYOL (bring your own license) to refer to customers who manage their own deployments in a cloud service provider, such as AWS, using their Splunk Enterprise license.

Architecture overview

The following diagram represents a high-level architecture of a Splunk Enterprise AWS BYOL deployment leveraging native cloud capabilities for high availability and scale.

  • Indexers are spread across three different availability zones (in a single region) to help ensure high availability using Splunk multisite clustering.
  • SHC instances are also spread across different availability zones (in a single region) and are fronted by a load balancer so users can use a single endpoint for UI access.
  • Splunk SmartStore allows the separation of compute and storage resources, leveraging S3 for cost-effective and performant long-term data retention.
  • Cluster manager redundancy is achieved as a pair of instances in separate zones to cover for a zone loss or outage.

Architecture diagram for AWS BYOL high availability SVA.

Benefits and descriptions

  • All existing SVA patterns can be implemented within AWS.
  • Data created within AWS (or already in AWS) can be locally ingested, saving network egress costs.
  • Indexers and Search Heads can be scaled quickly and easily through AWS automation services external to the Splunk platform.
  • Instance specifications can be adjusted as needed for changes in business needs and performance.

Search tier

  • SHC (Search Head Cluster) allows for high availability of the Splunk search tier by clustering Splunk search heads and replicating search and user objects as needed. A single member acts as the captain that is selected during startup through an election process. This member maintains replication state and handles scheduled search jobs. The search head deployer (SHC-D) is an instance that exists outside of the cluster and contains the apps and configurations needed for the search head cluster. The SHC-D is not a mission critical component that is needed for a functioning cluster or requires redundancy. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC
  • ELB (Elastic Load Balancer) is an AWS service that may be applied to balance user sessions across a search head cluster. You should enable session affinity (sticky sessions) and use application-controlled session affinity. https://aws.amazon.com/elasticloadbalancing/
  • Autoscaling may be applied to handle instance failures or instances in an unhealthy state. AWS can relaunch and replace these instances automatically, reducing the need for manual intervention. This feature can also protect against availability zone failures and disaster recovery If an instance is lost, this feature can be used to automatically replace for provisioning. https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html
  • Federated Search can be leveraged to execute unified search across multiple Splunk environments. This ability allows users to search across multiple, separate, complete Splunk software deployments without the complexity of distributed search. These separate Splunk deployments can exist in a public cloud, private cloud, on-premises, etc. https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutfederatedsearch

Indexing tier

Data ingestion tier

Limitations

Last modified on 26 June, 2024
SmartStore for Splunk platform   Federated Search for Splunk platform

This documentation applies to the following versions of Splunk® Validated Architectures: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters