Solved: Can I control where the primary copy resides in a ... - Page 2

jiaqya · ‎02-20-2019

Question:

I have SiteA and SiteB and plan to keep 2 copies, ie RF=2

I would like to use this setup where forwarders send data to SiteA, then the replication occurs to SiteB.

Each site would maintain a copy each.

Can I control where the primary copy resides in case of multisite? I would prefer it to reside on SiteA.

Is this possible OR how can this be achieved?

markusspitzli · ‎02-20-2019

Hi

You can configure the masternode like this (server.conf):

[clustering]
multisite = true
site_replication_factor = origin:1 total:2
site_search_factor = origin:1, total:2
available_sites = site1, site2

On each Indexer you will have to configure its site (server.conf):

[general]
site = site1

You have to configure the Universalforwarder, so that it only sends the Logs to SiteA:

[tcpout]
defaultGroup = mygroup
forwardedindex.filter.disable = true
useACK = true

[tcpout:mygroup]
server = idx1_site1:9997, idx2_site1:9997

The primary copy will be on siteA. It will switch to SiteB if the indexer on SiteA is down. If you want to prevent this you would have to increase the RF to 3 --> site_replication_factor = origin:2 total:3

View solution in original post

Can I control where the primary copy resides in a multisite indexer cluster setup?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms