我正在尝试学习Splunk并了解如何在AWS上安装Splunk Enterprise。
在阅读文档时,我遇到了Splunk中的索引集群和头部搜索集群,但没有文档(我可以找到)显示这两个集群如何相互交互。
quick start guide正在一个环境中设置索引器群集和搜索头群集,但即便如此,也没有提到这两个群组如何协同工作并相互关联。
任何对相关文档或解释的引用都会很棒。
答案 0 :(得分:0)
我也在splunk Q& A网站上发布了相同的问题,我在那里得到了答案,能够解决我的疑问。在这里发布: -
Search head clusters and indexer clusters are two entirely independent types of clusters used for entirely different purposes.
Indexer clusters connect together multiple indexers so they share data for redundancy or performance, spread out the "indexer side" of the search load (which can be most of it, depending on your searches) and so on. It supports data replication, inputs load balancing, all that sort of stuff.
Search Head clusters (SHC) are a way to build a cluster of search heads. So much like indexer clustering only it handles users, dispatching searches, displaying the data and so on.
The two interact mainly via a simple mechanism.
Search heads (and search head clusters) search the data held on Indexers (and indexer clusters). That's really about it. You can have a SHC search a single indexer, you can have a single SH search an Indexer cluster. Or a single SH search a single Indexer. Or a SHC search a Indexer cluster.
For those different scenarios, the only real difference is the setup of the indexer/SH side of thing with respect to the cluster. Once that cluster is set up, the interaction between the two is defined by Settings/Distributed Search.