Splunk® Enterprise

Distributed Search

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

System requirements and other deployment considerations for distributed search

This topic describes the key considerations when deploying a basic distributed search topology with search heads that function independently of each other. If instead you are deploying a search head cluster, see System requirements and other deployment considerations for search head clusters.

Hardware requirements for distributed search instances

For information on the hardware requirements for search heads and search peers (indexers), see Reference hardware in the Capacity Planning Manual.

Operating system compatibility

A non-clustered distributed search deployment can include a combination of search heads and indexers running on any supported operating system. For example, you can use a combination of indexers running on different supported Linux operating systems, such as RHEL 6.x and RHEL 7.x. See Supported operating systems in the Installation Manual.

For search head cluster and indexer cluster deployments, each cluster node must be running on the same operating system version. For more information on indexer cluster requirements, see System requirements and other deployment considerations for indexer clusters in Managing indexers and clusters of indexers.

Splunk Enterprise version compatibility

Upgrade search heads and search peers at the same time to take full advantage of the latest search capabilities. If you cannot do so, follow these version compatibility guidelines.

Compatibility between search heads and search peers

The following rules define compatibility requirements between search heads and search peers:

  • 7.x search heads are compatible with 7.x and 6.x search peers.
  • The search head must be at the same or a higher level than the search peers. See the note later in this section for a precise definition of "level" in this context.

Here is a non-exhaustive set of examples illustrating the sort of combinations that are compatible:

  • A 6.4 search head is compatible with a 6.3 search peer.
  • A 7.0 search head is compatible with a 6.4 search peer.
  • A 7.0 search head is compatible with a 7.0 search peer.

In contrast, here are examples of some combinations that are not compatible:

  • A 6.3 search head is not compatible with a 6.4 search peer.
  • A 6.4 search head is not compatible with a 7.0 search peer.

Note the following:

  • These guidelines are valid for standalone search heads and for search heads that are participating in a search head cluster.
  • Search heads participating in indexer clusters have different compatibility restrictions. See Splunk Enterprise version compatibility in Managing Indexers and Clusters of Indexers.
  • Compatibility is significant at the major/minor release level, but not at the maintenance level. For example, a 6.3 search head is not compatible with a 6.4 search peer, because the 6.3 search head is at a lower minor release level than the 6.4 search peer. However, a 6.3.1 search head is compatible with a 6.3.3 search peer, despite the lower maintenance release level of the search head.

Mixed-version distributed search compatibility

You can run a 6.x search head against 5.x search peers, but there are a few compatibility issues to be aware of. To take full advantage of the 6.x feature set, upgrade search heads and search peers at the same time.

This section describes the compatibility issues.

6.x features in a mixed-version deployment

When running a 6.x search head against 5.x search peers, note the following:

  • You can use data models on the search head, but only without report acceleration.
  • You can use Pivot on the search head.
  • You can run predictive analytics (the predict command) on the search head.

Licenses for distributed search

Each instance in a distributed search deployment must have access to a license pool. This is true for both search heads and search peers. See Licenses and distributed deployments in Admin Manual.

Synchronize system clocks across the distributed search environment

Synchronize the system clocks on all machines, virtual or physical, that are running Splunk Enterprise distributed search instances. Specifically, this means your search heads and search peers. In the case of search head pooling or mounted bundles, this also includes the shared storage hardware. Otherwise, various issues can arise, such as bundle replication failures, search failures, or premature expiration of search artifacts.

The synchronization method that you use depends on your specific set of machines. Consult the system documentation for the particular machines and operating systems on which you are running Splunk Enterprise. For most environments, Network Time Protocol (NTP) is the best approach.

PREVIOUS
Deploy a distributed search environment
  NEXT
Add search peers to the search head

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters