Which instance should host the console?
This topic is a step in the process of setting up the monitoring console for a distributed Splunk Enterprise deployment.
To start, determine which instance will best host the monitoring console. You have several options for where to host the monitoring console, depending on the nature of your deployment:
- The instance you choose must meet or exceed the search head reference hardware requirements. See Reference hardware in the Capacity Planning Manual.
- For security and performance reasons, only Splunk Enterprise administrators should have access to this instance.
- The instance hosting the monitoring console must not run any searches unrelated to its function as monitoring console. The exception to this rule is if you are using the console to monitor a standalone single-instance deployment.
This table outlines the recommended locations for the monitoring console, based on deployment type.
Distributed mode? | Indexer clustering? | Search head clustering? | Recommended locations |
---|---|---|---|
No | N/A | N/A | The standalone instance. |
Yes | No | No | The license master or a deployment server servicing a small number (<50) of clients. Otherwise, run the monitoring console on a search head that is dedicated to running monitoring console searches. |
Yes | Single indexer cluster | Not relevant | The manager node, if the load on the manager node is below the limits specified in Additional roles for the manager node in the Managing Indexers and Clusters of Indexers manual. Otherwise, run the monitoring console on a search head node that is dedicated to running monitoring console searches. If you are using SmartStore you must host the monitoring console on a dedicated search head. |
Yes | Multiple indexer clusters | Not relevant | A search head that is configured as a search head node across all the clusters. This search head must be dedicated to monitoring console use. |
Yes | No | Yes | The search head cluster deployer, a license master, or a standalone search head that is dedicated to running monitoring console searches. Do not run the monitoring console on a search head cluster member. |
For a general discussion of management component colocation, see Components that help to manage your deployment in the Distributed Deployment Manual.
See the sections that follow for detailed information for certain deployment types.
In a non-clustered deployment
You can locate the monitoring console on any of these instances:
- A license master
- A deployment server that is servicing a small number (<50) of clients
- A dedicated search head
In a deployment with a single indexer cluster
In a single indexer cluster, you can host the monitoring console on the instance running the manager node if the load on the manager node is below the limits specified in Additional roles for the manager node in the Managing Indexers and Clusters of Indexers manual.
You can also host the monitoring console on a search head node in the cluster, but you must dedicate the node to monitoring console searches. You cannot use the search head to run any other searches.
If you are using SmartStore, you must host the monitoring console on a dedicated search head.
In a deployment with multiple indexer clusters
If your deployment has multiple indexer clusters, host the monitoring console on a dedicated search head configured as a search head node on each indexer cluster. Do not use this search head to run any non-monitoring console searches.
To do this:
1. Configure a search head to serve as a node on each of the indexer clusters. See Search across multiple indexer clusters in the Managing Indexers and Clusters of Indexers manual. This is your monitoring console instance.
2. Configure each manager node and all search head nodes in the clusters as search peers of the monitoring console instance. See Add instances as search peers in this manual.
Do not configure the cluster peer nodes (indexers) as search peers to the monitoring console node. As nodes in the indexer clusters, they are already known to all search head nodes in their cluster, including the monitoring console node.
In a deployment with a search head cluster but without an indexer cluster
You can locate the monitoring console on any of these instances:
- A search head cluster deployer
- A license master
- A standalone, dedicated search head
Do not run the monitoring console on a search head cluster member.
The Monitoring Console is not supported for search head pooling deployments. Search head pooling was first deprecated in Splunk Enterprise 6.2.0 and the functionality is removed from Splunk Enterprise 8.0.0 and higher.
Why not to host the console on a production search head
Do not configure the monitoring console on an existing production search head that is already in use for the following reasons:
- Non-monitoring console searches that run on this search head might have incomplete results. The monitoring console distributed search groups modify default search behavior to ensure that the searches for the monitoring console dashboards are narrowly scoped to the list of search peers that they target. When you set up the monitoring console in distributed mode, it creates one search group for each server role, identified cluster, or custom group. Unless you use a "splunk_server_group" or the "splunk_server" option, only search peers that are members of the indexer group are searched by default. Because all searches that run on the monitoring console instance follow this behavior, non-monitoring console searches might have incomplete results.
- All production search heads should be monitored for performance, and the monitoring console affects the performance of the search head that hosts it. It can be difficult to disentangle monitoring console resource usage from production resource usage on the same instance.
The monitoring console and deployment server
In most cases, you cannot host the distributed monitoring console on a deployment server. The exception is if the deployment server handles only a small number of deployment clients, no more than 50. The monitoring console and deployment server functionalities can interfere with each other at larger client counts. See Deployment server provisioning in the Updating Splunk Enterprise Instances manual.
Next step
To continue setting up the monitoring console in distributed mode, make sure your deployment meets the prerequisites. See Monitoring Console setup prerequisites.
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Feedback submitted, thanks!