Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

3 site multisite indexer cluster: Can we keep the 3 site configuration, but decommission one site and physically move those indexers to the other sites?

sat94541
Communicator
‎02-15-2016 05:29 PM

I guess it is different cause the first one still leaves multisite as true, but now has a new number of sites which is a much more complex scenario than just ignore site value if multisite is false as I assume is the fix for the second one.

We need to move the Indexers physically to another location and that is why they are looking to decommission one site.

Current Setup

Site 1 – 3 Indexers
Site 2 – 3 Indexers
Site 3 – 2 Indexers
SRF/SSF is origin:2 total:6

We want to decommission the site with the 2 Indexers and add them to the other sites.

Can we keep the 3 sites configuration, but change the server’s location physically?
Are there any considerations I am missing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rbal_splunk
Splunk Employee
Splunk Employee
‎02-15-2016 05:58 PM

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

View solution in original post

Reply
Solved! Jump to solution
Solution

rbal_splunk
Splunk Employee
Splunk Employee
‎02-15-2016 05:58 PM

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...