Splunk® Enterprise

Distributed Search

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Deploy a single-member search head cluster

For limited purposes, you can deploy a single-member search head cluster. This approach allows you to start with a small distributed search deployment and easily scale to a larger cluster later.

Why a single-member cluster?

The main benefit of a search head cluster is to provide high availability search. To fulfill that benefit, the cluster must comprise at least three members. See Captain election process has deployment implications.

If you do not require high availability and you need only the capacity provided by a single search head, you can deploy a non-clustered search head.

However, even if your current needs can be met by a single search head, you might want to deploy a single-member search head cluster rather than a non-clustered search head. This approach ensure a simple path to future expansion. When you are ready to scale your deployment's search capacity, you can expand the single-member cluster into a cluster of three or more members, thereby gaining access to high availability and the other benefits of a full-fledged cluster.

As an alternative to starting your distributed search deployment with a single-member cluster, you can start with a non-clustered, standalone search head. Although a non-clustered search head is simpler to deploy initially than a single-member search head cluster, scaling your search capacity in the future becomes a more complicated process, because it involves migrating the settings from the non-clustered search head to a search head cluster. See Migrate settings from a standalone search head to a search head cluster.

Deploy a single-member cluster

To deploy a single-member search head cluster, follow the same deployment procedure as you would for a multi-member cluster. See Deploy a search head cluster.

Note the following:

  • The single member is also the cluster captain.
  • You must choose a separate Splunk Enterprise instance to function as the deployer.
  • You must set the replication factor on the member to 1.

The role of the deployer

In a search head cluster, the deployer distributes all apps and certain other configurations to the cluster members. See Use the deployer to distribute apps and configuration updates. You must use the deployer to distribute apps and other configurations.

Do not install apps and other similar configurations directly on the member. If you do, the configurations will not get added properly to new members when you later expand the cluster.

Scale the cluster to three or more members

When scaling the cluster, expand directly from the single member to a three-member cluster. A two-member cluster is not an inherently stable topology, due to the captain election process. Therefore, a two-member cluster is acceptable only for a brief period, during the process of scaling from one to three members.

To add new members to the cluster, follow the procedure described in Add a new member.

After you add the new members, update the replication factor on each member to the desired value for the expanded cluster, usually 3. All members must use the same value for the replication factor. See Choose the replication factor for the search head cluster.

3 is the default value for the replication factor. Therefore, if you choose to use 3 as the value, you only need to update the setting on the original member, which you previously set to 1 at the time of the initial deployment.

Last modified on 31 May, 2019
Deploy a search head cluster in a multisite environment   Migrate settings from a standalone search head to a search head cluster

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters