Provide a mid-tier distributed search template

[halr9000]

Just ran into situation with a customer where neither single nor multi really fits well. First, for several reasons, I don't think we want to suggest that index replication is mandatory (and most customers don't use it today). And if that's not used, then the cluster master goes away.

By tossing in index replication, we are upping the EC2 count, the EBS sizes are impacted by the search & replication factor, and ongoing configuration is made much more complicated. If one doesn't have strict HA/DR requirements, then EBS snapshots will often suffice for continuity plans.

Therefore, I propose a new "distributed" or "mid" template that is closer to single, than multi. It would only create:

• 1 search head
• N indexers configured as search peers

And that's pretty much it.

[halr9000]

@billbartlett @rarsan thoughts?

[dbitincka]

That's what's we've been discussing for some time now...a complex template may not necessarily fit all customers.

-dritan // +1.917.817.9059

From: Hal Rottenberg Sent: Friday, June 2, 11:11 Subject: Re: [splunk/splunk-aws-cloudformation] Provide a mid-tier distributed search template (#24) To: splunk/splunk-aws-cloudformation Cc: Subscribed

@https://github.com/billbartlettbillbartletthttps://github.com/billbartlett @rarsanhttps://github.com/rarsan thoughts?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on https://github.com/splunk/splunk-aws-cloudformation/issues/24#issuecomment-305910286 GitHubhttps://github.com/splunk/splunk-aws-cloudformation/issues/24#issuecomment-305910286, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AF0zeA7wS9Sk-deV2LnOGgblHMe9b3kmks5sAHqMgaJpZM4NuzAT.

[rarsan]

@halr9000 this is really a tradeoff between configurability vs complexity as eluded to by @dbitincka.

So:

1. How common is this configuration?
2. How much complexity does it add (both implementation-wise and usage-wise)?

Re (1), choosing non-clustered indexers seems to be high value as you argued. Re (2), supporting it is actually medium to low complexity:

• for implementation: it's primarily about skipping the cluster-config step depending on toggle and instead act as a search peer. With configuration management tool, it's as simple as choosing the right Splunk role, be it standard indexer or cluster peer: you can readily switch out the roles via SplunkRole attribute as you can see here where we use Chef under the hood.
• for usage: adding an input parameter to toggle clustering would be sufficient. As of now, AWS CloudFormation still doesn't have a way to conditionally show/hide parameters, so clustering-related form parameters (SF, RF, etc.) would just be ignored when clustering is disabled.

Seems worthwhile IMHO. PR are welcome!

[halr9000]

Just had a 2nd customer need this mid-tier option.

[bcyates]

Any update on this? Would love a non-clustered option