Deployment Architecture

3 site multisite indexer cluster: Can we keep the 3 site configuration, but decommission one site and physically move those indexers to the other sites?

sat94541
Communicator

I guess it is different cause the first one still leaves multisite as true, but now has a new number of sites which is a much more complex scenario than just ignore site value if multisite is false as I assume is the fix for the second one.

We need to move the Indexers physically to another location and that is why they are looking to decommission one site.

Current Setup

Site 1 – 3 Indexers
Site 2 – 3 Indexers
Site 3 – 2 Indexers
SRF/SSF is origin:2 total:6

We want to decommission the site with the 2 Indexers and add them to the other sites.

Can we keep the 3 sites configuration, but change the server’s location physically?
Are there any considerations I am missing?

0 Karma
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

In order to consider your option it’s good idea to know about Bug# SPL-110192:Multi-site buckets should not be bonded to Originating Site

Due to this Bug if you remove site3 and decommission the Peer on site 3, all the bucket that had Originating(created) on indexers of Site3 will continue to throw message “missing={site3:x}enough start targets=1”. This message is annoying but can be complete ignore entire data will still be searchable. These messages will eventually go away once these buckets age out and you will be back in state without this errors.So, when you move the indexer of site3 to site1 or site you- you will be better of re-installing the splunk instance and adding these as fresh.

On the other side if you decide to keep the site3 configuration you will need to have at least one copy of bucket and you can use configuration like below- and stop forwarding any data to site 3 indexer- eventually over time when the data ages out – decommission site 3.

site_replication_factor = origin:, site1: , site2: , site3:1, total:4
site_search_factor = origin:, site1:, site2:, site3:1 total:2

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...