Splunk® Enterprise

Distributed Search

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

About search head clustering

A search head cluster is a group of Splunk Enterprise search heads that serves as a central resource for searching. The members of a search head cluster are essentially interchangeable. You can run the same searches, view the same dashboards, and access the same search results from any member of the cluster.

To achieve this interchangeability, the search heads in the cluster must share configurations and apps, search artifacts, and job scheduling. Search head clusters automatically propagate most of these shared resources among the members.

Benefits of a search head cluster

Search head clusters provide these key benefits:

  • Horizontal scaling. As the number of users and the search load increases, you can add new search heads to the cluster. By combining a search head cluster with a third-party load balancer placed between users and the cluster, the topology can be transparent to the users.
  • High availability. If a search head goes down, you can run the same set of searches and access the same set of search results from any other search head in the cluster.
  • No single point of failure. The search head cluster uses a dynamic captain to manage the cluster. If the captain goes down, another member automatically takes over management of the cluster.

Cluster architecture

A search head cluster consists of a group of networked search heads, called cluster members. One cluster member, the captain, coordinates all cluster-wide activities. If the member serving as captain goes down, another member takes its place.

The members share:

  • Job scheduling. The cluster manages job scheduling centrally, allocating each scheduled search to the optimal member, usually the member with the least load.
  • Search artifacts. The cluster replicates search artifacts and makes them available to all members.
  • Configurations. The cluster requires that all members share the same set of configurations. For runtime updates to knowledge objects, such as updates to dashboards or reports, the cluster replicates configurations automatically to all members. For apps and some other configurations, the user must push configurations to the cluster members by means of the deployer, a Splunk Enterprise instance that resides outside the cluster.

See "Search head clustering architecture."

How to set up the cluster

You set up a cluster by configuring and deploying the cluster's search heads. The process is similar to how you set up search heads in any distributed search environment. The main difference is that you also need to configure the search heads as cluster members.

See the chapter "Deploy search head clustering".

How the user accesses the cluster

Users access the cluster the same way that they access any search head. They point their browser at any search head that is a member of the cluster. Because cluster members share jobs, search artifacts, and configurations, it does not matter which search head a user accesses. The user has access to the same set of dashboards, searches, and so on.

To achieve the goals of high availability and load balancing, Splunk recommends that you put a load balancer in front of the cluster. That way, the load balancer can assign the user to any search head in the cluster and balance the user load across the cluster members. If one search head goes down, the load balancer can reassign the user to any remaining search head.

Search head clusters and indexer clusters

Search head clusters are different from indexer clusters. The primary purpose of indexer clusters is to provide highly available data through coordinated groups of indexers. Indexer clusters always include one or more associated search heads to access the data on the indexers. These search heads might be, but are not necessarily, members of a search head cluster.

For information on search heads in indexer clusters, see the chapter "Configure the search head" in the Managing Indexers and Clusters of Indexers manual.

For information on adding a search head cluster to an indexer cluster, see the topic "Integrate the search head cluster with an indexer cluster" in this manual.

Last modified on 23 September, 2015
Configure parallel reduce search processing   Search head clustering architecture

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters