Deployment Architecture

3 site multisite indexer cluster: Can we keep the 3 site configuration, but decommission one site and physically move those indexers to the other sites?

sat94541
Communicator

I guess it is different cause the first one still leaves multisite as true, but now has a new number of sites which is a much more complex scenario than just ignore site value if multisite is false as I assume is the fix for the second one.

We need to move the Indexers physically to another location and that is why they are looking to decommission one site.

Current Setup

Site 1 – 3 Indexers
Site 2 – 3 Indexers
Site 3 – 2 Indexers
SRF/SSF is origin:2 total:6

We want to decommission the site with the 2 Indexers and add them to the other sites.

Can we keep the 3 sites configuration, but change the server’s location physically?
Are there any considerations I am missing?

0 Karma
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...