SPLK-2002 Splunk Enterprise Certified Architect – Distributed Splunk Architecture

1. Overview of Distributed Splunk Architecture

Hey everyone and welcome back. In today’s video, we’ll be discussing about the Distributed A Splunk architecture. Now, a Splunk Enterprise that we generally use, it consists of various other subcomponents as well. Now, this includes now the Splunk Enterprise that we use, it consists of various sub components. Now, these sub components includes indexer, you have Search head, you have deployment search server, you have forwarders, you have license master, you even have monitoring console. So simple example I can give you is of my mobile year. So, although this mobile is a complete package, but it consists of various other sub components. So if you see my Motor Motorola phone, it contains this big camera at the back. So this is an external component. Although what they do is they fit together and it becomes a single unit and similar goes with the Splunk. Splunk also contains various other components. They can be distributed. However, if you just install Splunk, all of this forms a single unit which you can use within a single Splunk Enterprise installation. So let’s understand this with a simple animation. So let’s assume that the entire block that you see over here, it’s a Splunk Enterprise. Now, within this, you have various subcomponents. Like this can be indexed. You have searched monitoring console, deployment server, forwarders, et cetera, et cetera.

Now, if you use a single Splunk Enterprise instance here, it might happen that one of the components might fail. And many times what happens is that if you install everything within a single server, this failure can cause the failure of the entire Splunk instance itself. So you need to be careful. Specifically, when you are using Splunk in your corporate environment where the searchability is an important aspect, you don’t want Splunk to be going down. And hence having a single Enterprise instance is something which is not preferred. So what you do here is you do a Distributed Setup. So in Distributed Setup, what you do is individual Splunk Enterprise instance is used for a single component. So let’s say this one can be used only for indexes, this can be used for search heads, this can be used for forwarders, this is exclusive for monitoring console, etc. Etc, etc.

And for such cases, if one of the component fails, it will ensure that rest of the component will not be affected totally because this is in an isolated Splunk instance. All right, so many times Distributed Splunk components really helps a lot. However, do not consider Distributed Splunk or Distributed Setup as the best setup. Because even if this component fails at this amount of time, let’s say currently this component has failed, a component B has failed. So during that time, what will happen is I will not be able to utilize the feature of the component B, whatever it may be. It may be search head, it may be indexer, it may be forwarder. But during the time this is in the failed state, although it might not bring all the other components down, but we will not be able to use the feature of the failed component.

And hence distributed setup by itself is not a very idle approach. And hence we make use of something like clustered setup. So what happens in clustered setup is you have a cluster of individual components. So say you have a cluster of search head. So you have a cluster of search head over here. You have a cluster of indexer, you have a cluster of forward as over here. So in this kind of a setup, even if one instance within the cluster goes down, your component is still not down. All right? So now let’s say the second instance of your component has gone down, you still have your third instance of your component up, and your functionality will still be preserved. And this is the importance of a clustered setup. Remember that if you are going to install or if you’re going to run Splunk in your production environment, having a clustered setup is very, very important to ensure that all the functionality of Splunk is up and available all the time.

So although we were discussing in terms of various symbols over here, when you talk about clustered setup, you need to have a systematic diagram about how exactly it works. So if you will see you have three indexer nodes in cluster indexer are basically used for indexing the data. Then you have the Search head cluster which is basically used for search head component. And if you see how indexer cluster interacts with the Search head cluster so this is what the cluster setup looks like when it comes to the technical diagram, we’ll be doing the entire cluster. We’ll be looking into how we can create indexer cluster. We’ll be looking into how we can create Search head cluster in the upcoming section. But I just would like to show you how exactly this would look like in terms of technical diagram. Now, before we go ahead and do all of these cluster setup, it is important for us to understand what each and every components within Splunk is all about.

So. We already discussed that. Splunk Enterprise contains various subcomponents which can be index or search head deployment server license, master, forwarder monitoring console So before we do a clustering, before we do High Availability, it is important for us to understand what this component is. Because if we do not understand, we will not understand the true motive of doing a clustering setup. So throughout this section, we’ll be understanding each of these components in detail post which will look into the clustering or maybe a High Availability setup as well. Now, one very important part to remember is that Splunk does not support clustering feature for each and every component which is present over here. Now, two of the major components within Splunk which supports clustering is indexer and Search head. And our next two sections are dedicated for achieving clustering for both indexer and search heads. So this is very important part for other components like License Master Heavy Forwarder Splunk does not support clustering. It supports active passive based failure. So this is one important part. Do remember.

2. Understanding License Master

Hey everyone and welcome back. Now in the previous video we were discussing about the license master architecture typically required when you have a distributed kind of setup. So in today’s video, we will go ahead and implement a similar setup and look into how we can have a license master and its associated license live. So for our testing purpose, what I have done is I have created three docker containers. One docker container here is associated with the Splunk master. So this is the license master. Second is the slave zero one and third is the slave zero two. And the master has is running on port 8000. This is the host port. Remember, the backend port are all 8002nd. Slave is running on port 8001 in my Windows host and slave zero two is running on 8002 of my Windows host. Great. So let’s go ahead and open the local host 8000 port. So this is going to be my master server. Let’s log in here. So once you’re logged in, if you go to settings and if you go to licensing, you’ll typically see that this is a trial license group and this server is acting as a standalone server.

So what we want is we want this server to act as a license master so that it can associate a license with the other licensing slave that we create. So in order to make this as the Splunk license master, what you need to do is you have to click on change to Slave. And here there are two options. One is designate this blunt instance as the licensing server which is the master license server. And it’s saying designate a different Splunk instance as a master license server. So basically we want to associate this instance as a licensed master. So I’ll select this option and I’ll click on Save. Perfect. So now the master server was successfully changed. You can click on OK. Now the next thing that you need to do is you will have to add a license. So we can go ahead and we can add the trial license which we had generated during the earlier period. So I have selected my Splunk license file over here. I’ll go ahead and I’ll click on Install. So once you click Install, you will need to restart your Splunk Enterprise server. Perfect. So my Splunk instance is restarted. Let’s quickly log in here. And now if you see the trial license got changed to Enterprise License group and you’ve got a lot of more options which you would typically see. One of them is the pooling related functionality that we’ll be discussing.

So now this basically it acts as a master license server, which is also said here that this server is acting as a master license server. So our next thing is to create a slave. So we already have the slave containers up and running. So if you will see over here I have my Splunk master and I have two Splunk servers which are running. One is on port 8001 and second is on port 8002. So within my different browser, I have opened localhost 8001. Let’s go ahead and log in here. Now, what we’ll do is this Splunk Enterprise instance. We will connect this to our License Master so that our trial functionality will go away. So currently, you see, this is the trial license group. So what we’ll do is we’ll connect this specific instance to a License Master. Now, in order to do that, you need to click on change to slave over here. And there are two options. You can make this as a Master.

We do not want to do that because we already have a Master created. And second is designate a different Splunk instance as the Master license server. So we need to provide the IP address of the License Master server where our license is installed. So basically, what you need to do here, you need to do a docker inspect on Splunk Master. You will get the IP address which is associated with the Master server, which is 170, 2170 two. So I’ll specify 170, 2170 two. And colon you will have to specify the 80 89, which is the management port. You can go ahead and you can do a save. Perfect. So once you have done that, let’s quickly restart our server. Great.

So our Splunk instance is restarted. Let’s quickly log in here and we’ll go to settings. We’ll go to licensing. And this time you would see that this server is associated with a remote Master license server. And now if you go to licensing, you’ll not get any option to see on how much consumption has been happening and other aspects because this is connected to the remote Master. In a similar way, you can connect one more docker container to the remote Master in case you require otherwise. This one is also good enough for the demo practical. So now, going to the Master licensing server, you typically see a feature of Autogenerated Pool Enterprise. So pooling is one of the important aspects or one of the important features of the licensed Master server. And this is something that we’ll be discussing in the upcoming video.