< Back |Home| Next >
Understanding splunk search head and search head pooling
Splunk search head is the main GUI/front end for splunk ,commonly accessed via browser . search head is somewhat similar to google where you have to enter keywords and click on search to get expected result.Like any other splunk components you can install splunk search head on separate server or with other splunk component on same server.There is no separate installation file for search head,you just have to enable splunkweb service on the splunk server to enable it.When we enter a keyword in splunk search box for search in background search head scans connected indexers for logs containing keywords and will fetch results.Search head looks for logs in all connected indexers to it.Search Heads can run searches across multiple Indexers at same time.Splunk web service is responsible for providing GUI access to splunk through browser.Splunk Web Services is a web application written using a combination of Python, AJAX, XML, XSLT etc . which provides the super intuitive graphical UI. Splunk is one of the few products that still use C++ and Python instead of the clunky Java and its cousins. This provides the edge to Splunk when processing large data volumes thrown at it.Below we will see how splunk search head works and how we can configure it.
How to access search head?
You can access your splunk search head by entering below url in your browser
http://search head server name:8000
How many search heads to install?
It depends upon number of users and number of sessions at a time.Generally a thumb of rule is to use 1 search head for 8-12 users or 1 search head for 30-50 sessions at the same time.
How search head works - How search head searches for logs?
Basicaly splunk searches for logs in splunk indexers .Search head is directly connected to indexers in background.Indexers are basically database for splunk where it contains all collected logs from various sources.splunk seaach head looks for data in multiple indexers while searching.In below diagram you can see the connections between search head and splunk.
How to access search head?
You can access your splunk search head by entering below url in your browser
http://search head server name:8000
How many search heads to install?
It depends upon number of users and number of sessions at a time.Generally a thumb of rule is to use 1 search head for 8-12 users or 1 search head for 30-50 sessions at the same time.
How search head works - How search head searches for logs?
Basicaly splunk searches for logs in splunk indexers .Search head is directly connected to indexers in background.Indexers are basically database for splunk where it contains all collected logs from various sources.splunk seaach head looks for data in multiple indexers while searching.In below diagram you can see the connections between search head and splunk.
splunk search head
What is search head pool and search head pooling?
A search head pool is nothing but group of connected search head servers which share load,configuration and user data. In case of any search head server goes down you can still continue your searching with other available servers in pool.
How to create search head pool?
For creating a search head pool in your environment you must be having at least two search heads which share common storage.
A search head pool is nothing but group of connected search head servers which share load,configuration and user data. In case of any search head server goes down you can still continue your searching with other available servers in pool.
How to create search head pool?
For creating a search head pool in your environment you must be having at least two search heads which share common storage.
Comment Box is loading comments...