Splunk® Enterprise

Monitoring Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Which instance should host the console?

This topic is a step in the process of setting up the Distributed Management Console (DMC) for a Splunk Enterprise deployment. See About the Distributed Management Console above.

Once you have configured the DMC in distributed mode, you will be able to navigate to it on only one instance in your deployment and view the console information for your entire deployment. But which instance should this be?

You have several options for where to host the DMC. The instance you choose must be provisioned as a search head. See Reference hardware in the Capacity Planning Manual. For security and some performance reasons, only Splunk Enterprise administrators should have access to this instance.

Important: Except for the case of a single, standalone Splunk Enterprise instance, the instance hosting the DMC should not be used as a production search head and should not run any searches unrelated to its function as the DMC.

This table describes the recommended locations for the DMC, based on deployment type.

Distributed mode? Indexer clustering? Search head clustering? DMC options
No N/A N/A The standalone instance.
Yes No No The license master or a deployment server servicing a small number (<50) of clients. Use of the instance should be limited to DMC and these specific functions. If neither a license master nor a deployment server is available, run the DMC on a dedicated search head not used for other purposes.
Yes Single cluster Not relevant The master node. If preferred, you can instead run the DMC on a dedicated search head not used for other purposes.
Yes Multiple clusters Not relevant A search head that is configured as a search head node across all the clusters. This search head must be limited only to DMC use.
Yes No Yes The search head cluster deployer. If preferred, you can instead run the DMC on a dedicated search head not used for other purposes. Do not run the DMC on a search head cluster member.

In a deployment with a single indexer cluster: On the master node

In an indexer cluster (either single-site or multisite), host the DMC on the cluster master. See System requirements in Managing Indexes and Clusters.

As an alternative, you can host the DMC on a search head node in the cluster. If you do so, however, you cannot use the search head to run any non-DMC searches. See Enable the search head in Managing Indexers and Clusters of Indexers.

In a deployment with multiple indexer clusters: On a search head node

If your deployment has multiple indexer clusters, host the DMC on a search head configured as a search head node on each of the clusters. Do not use this search head to run any non-DMC searches.

The main steps to accomplish this are:

1. Configure a single search head as a node on each of the indexer clusters. See Search across multiple indexer clusters in the Managing Indexes and Clusters Manual. This is your DMC instance.

2. Configure each master node, as well as all search head nodes in the clusters, as search peers of the DMC instance. See Add instances as search peers.

Caution: Do not configure the cluster peer nodes (indexers) as search peers to the DMC node. As nodes in the indexer clusters, they are already known to all search head nodes in their cluster, including the DMC node.

In a non-indexer-cluster environment, option 1: On the license master

You can configure the monitoring console on your dedicated license master if the following are true:

  • Your license master can handle the search workload, that is, meets or exceeds the search head reference hardware requirements. See Reference hardware in the Capacity Planning Manual.
  • Only Splunk Enterprise admins can access your license master.

In a non-indexer-cluster environment, option 2: On a new instance

Another option is to provision a new instance, configure it as a search head of search heads and a search head of indexers, and configure the DMC in distributed mode there.

DMCarch.png

In a search head cluster environment

Use a deployer or dedicated license master for hosting the DMC. The DMC cannot be on a search head cluster member. The app is disabled on startup on a search head cluster member. See System requirements and other deployment considerations for search head clusters in the Distributed Search Manual.

DMC is not supported in a search head pooled environment.

Why not to host the console on a production search head

You should configure DMC on an instance that is not used as a production search head (a search head that runs your own searches or apps) for a few reasons.

The DMC's distributed search groups modify default search behavior. This modification ensures that the searches for the DMC dashboards are as narrowly scoped as possible to the list of search peers they target. When you set up the DMC in distributed mode, it creates one search group per server role, identified cluster, or custom group. Then it makes sure that unless you use a "splunk_server_group" or the "splunk_server" option, only search peers that are members of the indexer group are searched by default. But since all searches follow this behavior, non-DMC searches might have incomplete results.

Additionally, you should not host the DMC on a production search head because all production search heads should be monitored for performance, and the DMC itself affects performance. It can be difficult to disentangle DMC resource usage from production resource usage on the same instance.

The DMC and deployment server

In most cases, you cannot host the distributed DMC on a deployment server. The exception is if the deployment server handles only a small number of deployment clients, no more than 50. The DMC and deployment server functionalities can interfere with each other at larger client counts. See Deployment server provisioning in the Updating Splunk Enterprise Instances manual.


Next step

To continue setting up the DMC in distributed mode, your next step is to make sure your deployment meets the prerequisites. See DMC setup prerequisites.

PREVIOUS
Single-instance DMC setup steps
  NEXT
DMC prerequisites

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters