Deployment Architecture

Backup of indexed data in cluster with two nodes and replication factor = 2

mas
Path Finder

Hi,

we have a multisite indexers cluster with two nodes and replication factor = 2. All instances are running Splunk 6.2. In the official documentation we read that it is not possible to back up just the data on a single node, since there's no certainty that a single node contains all the data in the cluster.

I suspect that this is not true in our scenario, where all data are replicated to both nodes (replication factor = total number of peers). Am I right? Can we backup data from one node (snapshot backup) and be sure that all data has been saved?

0 Karma
1 Solution

mahamed_splunk
Splunk Employee
Splunk Employee

If there are only 2 nodes and RF = 2 and the cluster met all policies (the dashboard is green), then you can take back up from single node.

View solution in original post

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

If there are only 2 nodes and RF = 2 and the cluster met all policies (the dashboard is green), then you can take back up from single node.

0 Karma

mas
Path Finder

Thank you.

It would be nice to be able to check the cluster status before starting the backup job, raising a warning if it is not consistent. I think the only way to automate this check would be to run "bin/splunk show cluster-status --verbose" and check for "Replication factor met" and "Search factor met", but this command is available only on master node, while the check should be executed by the backup agent running on one of the peers. In addition, there would be an authentication request from Splunk daemon.

As a result, I think it is not possible to automate this check in a simple way.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...