Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can two clusters be merged?

Lowell
Super Champion
‎12-19-2013 05:01 PM

For Enterprise deployment planning purposes, is it possible to merge two individual clusters into a single combined cluster?

For a slightly more realistic example, say there were two separate Splunk clusters running in two separate datacenters, but due to some restructuring the two datacenters were being merged. If both sites had their own Splunk cluster with a master node and a handful of peer nodes, would it be possible relocate the peer notes and just connect to a new master node? And if so, how ugly would this get?

Secondly, if you knew about this possibility before either Splunk cluster was deployed, what planning steps would you take to make the process easier down the road? (For example, I'm assuming that having consistent index names between the two clusters would be helpful in this kind of scenario.)

Reply

bmo017
Path Finder
‎05-16-2017 08:37 PM

I would also say if you are standing up brand new (which it seems you are not though) it is worth noting that setting the cluster configuration to multisite in the front end 'multisite = true' this will allow you to in the future more easily flip the switch to merge the two and have the Splunk allocate the data across the newly added indexers.

This will allow for you to add the new site and have the data re-balance across the newly linked indexer nodes.

0 Karma
Reply

atat23
Path Finder
‎03-24-2015 06:27 AM

Old topic but the need for this has come up for me recently, did you ever carry this procedure out? would be very interested in the result.

To me it seems like it may not be an issue based on:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Whathappenswhenamasternodegoesdown

If CM02 is removed and the configurations of the two separate clusters are merged (in my case the clusters are already have the same configuration for inputs/indexes etc), the Peers are then pointed to the CM01 and they will report their replication statuses back to their new CM.

Again, in my case the SF and RF factor should already be met so there shouldn't be any remediation needed.

There is also:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Handlemasternodefailure

So as long as nothing in the server.conf and master-apps config that is overlooked I'm thinking that a merge won't be an issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...