Deployment Architecture

3 site multisite indexer cluster: Can we keep the 3 site configuration, but decommission one site and physically move those indexers to the other sites?

Communicator

I guess it is different cause the first one still leaves multisite as true, but now has a new number of sites which is a much more complex scenario than just ignore site value if multisite is false as I assume is the fix for the second one.

We need to move the Indexers physically to another location and that is why they are looking to decommission one site.

Current Setup

Site 1 – 3 Indexers
Site 2 – 3 Indexers
Site 3 – 2 Indexers
SRF/SSF is origin:2 total:6

We want to decommission the site with the 2 Indexers and add them to the other sites.

Can we keep the 3 sites configuration, but change the server’s location physically?
Are there any considerations I am missing?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

View solution in original post

Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!