SH C Flashcards
What is search head clustering ?
Group of Splunk Enterprise search heads that serve as a central resource for searching.
Name the characteristics of a SH cluster.
-Minimum of three nodes
-Share the same search artifacts
-Share the same configurations
-Allows more users to access the same data
-If one search head goes down, searching and data high availability will continue
Why use SH clustering ?
A. Horizontal scaling-as the number of users and search load increase, you can add new search heads.
B. High Availability-As only 12 users can access a search head, more nodes allow for data to be more available
C. No Single Point of Failure
How will you fix the problem of slow running searches?
add more RAM and CPU or storage to server; adding more storage and increasing processing = decrease amount of CPU being tied up
scale your SH up(one way), is the last thing you would do since you are adding more resources which would cost more money
What is the main job of a captain?
Assign jobs to members and itself and coordinates alerts and pushes knowledge objects to indexers
(so the indexers can process that distributed search = when doing distributed search there are KO(knowledge objects) that get attached to data presented on screen.
Is captain responsible for results?
NO, captain is not responsible for results, it is responsible for coordinating distributed search and peers
What is STATIC CAPTAIN and how do you choose it?
designated captain ; to choose you have to decide the server and necessary command or configurations ; specify all the hostnames of other SH that will be part of cluster
What is a DYNAMIC CAPTAIN
(automatic from Splunk)
captain that is not set ; SH and cluster vote who should be captain based on which SH is least busiest every 10 min = always changing
Describe load balancer role in search head cluster.
sit between users and our SH (only)
does a health check of SH
if SH is bad LB will move end user to another SH
What is an app?
a group of configuration files that is sent to specific components to control server behavior
Which 3 components of Splunk can deploy apps and from what location?
Deployment Server = opt/splunk/etc/deployment-apps
Cluster Master = opt/splunk/etc/master-apps
Deployer = opt/splunk/etc/shcluster/apps
Main difference between etc/apps vs system/local
with system/local when you put configs here they are not apps-they can never be managed by centralized manager
making system local changes = bootstrapping and will override anything in etc/apps
Most important feature of opt/splunk/etc?
Apps that are OOTB, from Splunkbase, or custom-made for the individual component itself.
Most important feature of opt/splunk/etc/system/local?
Configurations that are configured locally on the individual component itself.
Discuss the configurations bundled in: opt/splunk/etc/deployment-apps, opt/splunk/etc/master-apps, opt/splunk/etc/shcluster/apps
opt/splunk/etc/deployment-apps = Configurations bundled in an app to deploy configurations to the clients of the deployment servers.
opt/splunk/etc/master-apps = configurations bundled in an app to deploy configurations to the indexers that are part of the indexer cluster.
opt/splunk/etc/shcluster/apps = Configurations bundled in an app to deploy configurations to search heads part of the search head cluster
