Deployment Architecture

All-In-One configuration and clustering


Dear Community,

We have the following question :

In the 'all-in-one' configuration (1 server holding : Forwarder+Indexer+SH), may we implement clustering, in order to insure redundancy and have two 'all-in-on' servers into two different location but in redundancy so data are secured if one site comes down ?

Thanks in advance,


0 Karma

Revered Legend

No. The clustering requires certain minimum number of nodes and requires those nodes perform specific roles only. So, having just two nodes may not be possible. Have a look at the Splunk documentation for clustering. It'll give you specifics about how many servers (and of what type/role) you need. You could create a cluster with bare minimum number of nodes.


Thanks very much for your answer and documentation, very much appreciated 🙂
It is very important to us to be about having 2 Indexers/peer nodes only. You mention it may not possible to have only two, and the documentation shows with 3 peers, you're right, but for me it is for the example purpose only ? Or it really must be greater or equal to 3 peers at least and so 2 peers cannot be implemented ??

thanks again,
Kind regards

0 Karma


Nobody please ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...