topic Re: Splunk Local Disaster Recovery Solution in Splunk Enterprise

Splunk Local Disaster Recovery Solution

jiaminyun — Wed, 16 Oct 2024 02:19:17 GMT

Hello, we urgently need to obtain a Splunk local disaster recovery solution and hope to receive a best practice explanation. The existing Splunk consists of 3 search heads, 1 deployer, 1 master node, 1 DMC, 3 indexes, and 2 heavy forwarders. In this architecture, the search replication factors are all 2 and there is stock data available. The demand for local disaster recovery is: The host room where the existing data center's Xinchuang SIEM system is located has been shut down, and the data in the disaster recovery room can be queried normally. The closure of the newly built disaster recovery host room will not affect the use of the existing data center's SIEM system. RPO 0 cannot lose data, RTO can recover within 6 hours.

Re: Splunk Local Disaster Recovery Solution

richgalloway — Wed, 16 Oct 2024 12:09:34 GMT

The Splunk Validated Architectures manual should help. You may be interested in the M3/M13 or M4/M14 models. See https://docs.splunk.com/Documentation/SVA/current/Architectures/M4M14

Re: Splunk Local Disaster Recovery Solution

PickleRick — Wed, 16 Oct 2024 12:56:50 GMT

Well, it's actually _not_ a disaster recovery. It's a HA solution with some assumed level of fault tolerance.

@jiaminyunThere is no such thing as "0 RPO" unless you do make some boundary conditions and prepare accordingly. A HA infrastructure like the one from SVAs can protect you in case of some disasters but will not protect you from other ones (like misconfiguration or deliberate data destroying). If you're OK with that - be my guest. Just be aware of it.

RTO actually depends on your equipment, storage and resources (including personnel) you can allocate to the recovery task.

Re: Splunk Local Disaster Recovery Solution

jiaminyun — Tue, 22 Oct 2024 10:42:11 GMT

Thank you for your response, We have achieved the final same city disaster recovery architecture by combining M3/M13 and UF clone dual writing!

Re: Splunk Local Disaster Recovery Solution

jiaminyun — Tue, 22 Oct 2024 10:43:22 GMT

Thank you for your response, We have achieved the final same city disaster recovery architecture by combining M3/M13 and UF clone dual writing!

Re: Splunk Local Disaster Recovery Solution

jiaminyun — Wed, 30 Oct 2024 06:40:39 GMT

After testing UF output cloning, it was found that it is impossible to achieve true same data distribution across multiple clusters! Is there any good solution for dual writing? most urgent!

Re: Splunk Local Disaster Recovery Solution

jiaminyun — Wed, 30 Oct 2024 06:42:09 GMT

After testing UF output cloning, it was found that it is impossible to achieve true same data distribution across multiple clusters! Is there any good solution for dual writing? most urgent!

Re: Splunk Local Disaster Recovery Solution

PickleRick — Wed, 30 Oct 2024 07:17:45 GMT

If you mean sending to two output groups from a single forwarder - that works until one of them gets blocked. Then both stop. It's by design.