Deployment Architecture

3 site multisite indexer cluster: Can we keep the 3 site configuration, but decommission one site and physically move those indexers to the other sites?

sat94541
Communicator

I guess it is different cause the first one still leaves multisite as true, but now has a new number of sites which is a much more complex scenario than just ignore site value if multisite is false as I assume is the fix for the second one.

We need to move the Indexers physically to another location and that is why they are looking to decommission one site.

Current Setup

Site 1 – 3 Indexers
Site 2 – 3 Indexers
Site 3 – 2 Indexers
SRF/SSF is origin:2 total:6

We want to decommission the site with the 2 Indexers and add them to the other sites.

Can we keep the 3 sites configuration, but change the server’s location physically?
Are there any considerations I am missing?

0 Karma
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...