READ THIS FIRST: Key differences between clustered and non-clustered Splunk deployments
This topic describes key differences between clustered and non-clustered indexers. In particular, it discusses issues regarding system requirements and deployment.
Read this topic carefully if you plan to migrate your current set of indexers to a cluster.
Do not use deployment server or third-party deployment tools with cluster peers
Neither the deployment server nor any third party deployment tool (such as Puppet or CFEngine, among others) is supported as a means to distribute configurations or apps to cluster peers. To distribute configurations across the set of cluster peers, use the configuration bundle method outlined in the topic "Update common peer configurations".
For information on how to migrate app distribution from the deployment server to the configuration bundle method, see "Migrate apps to a cluster".
Note: You can, however, use deployment server to distribute updates to cluster search heads.
Differences in system requirements
Peer nodes have some different system requirements compared to non-clustered indexers. Before migrating your indexer, read the topic "System requirements and other deployment considerations". In particular, be aware of the following differences:
- When you convert an indexer to a cluster peer, disk usage will go up significantly. Make sure you have sufficient disk space available, relative to daily indexing volume, search factor, and replication factor. For detailed information on peer disk usage, read "Storage considerations".
- You might need to use different hardware for your
colddbstorage. For detailed information on hardware storage needs, read "Storage hardware".
- The peer node should reside on a high speed network with the other cluster components, as described in "Network requirements".
- Cluster components cannot share Splunk instances. The master node, peer nodes, and search head must each run on its own instance.
Other considerations and differences from a non-cluster deployment
In addition, note the following:
- For most types of cluster deployments, you should enable indexer acknowledgment on the forwarders sending data to the peer. This will have some effect on indexing performance. See "How indexer acknowledgement works".
- There will be some overall reduction in performance due to a few factors; mainly, indexer acknowledgement, as well as the need to store, and potentially index, replicated data coming from other peer nodes.
- When restarting cluster peers, you should use the Manager or one of the cluster-aware CLI commands, such as
splunk rolling-restart. Do not use
splunk restart. For details, see "Restart the entire cluster or a single cluster node".
Migrate a non-clustered indexer
To learn how to migrate an existing Splunk indexer to a cluster and the ramifications of doing so, read the topic "Migrate non-clustered indexers to a cluster".
System requirements and other deployment considerations
This documentation applies to the following versions of Splunk® Enterprise: 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18