Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can two clusters be merged?

Lowell
Super Champion
‎12-19-2013 05:01 PM

For Enterprise deployment planning purposes, is it possible to merge two individual clusters into a single combined cluster?

For a slightly more realistic example, say there were two separate Splunk clusters running in two separate datacenters, but due to some restructuring the two datacenters were being merged. If both sites had their own Splunk cluster with a master node and a handful of peer nodes, would it be possible relocate the peer notes and just connect to a new master node? And if so, how ugly would this get?

Secondly, if you knew about this possibility before either Splunk cluster was deployed, what planning steps would you take to make the process easier down the road? (For example, I'm assuming that having consistent index names between the two clusters would be helpful in this kind of scenario.)

Reply

bmo017
Path Finder
‎05-16-2017 08:37 PM

I would also say if you are standing up brand new (which it seems you are not though) it is worth noting that setting the cluster configuration to multisite in the front end 'multisite = true' this will allow you to in the future more easily flip the switch to merge the two and have the Splunk allocate the data across the newly added indexers.

This will allow for you to add the new site and have the data re-balance across the newly linked indexer nodes.

0 Karma
Reply

atat23
Path Finder
‎03-24-2015 06:27 AM

Old topic but the need for this has come up for me recently, did you ever carry this procedure out? would be very interested in the result.

To me it seems like it may not be an issue based on:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Whathappenswhenamasternodegoesdown

If CM02 is removed and the configurations of the two separate clusters are merged (in my case the clusters are already have the same configuration for inputs/indexes etc), the Peers are then pointed to the CM01 and they will report their replication statuses back to their new CM.

Again, in my case the SF and RF factor should already be met so there shouldn't be any remediation needed.

There is also:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Handlemasternodefailure

So as long as nothing in the server.conf and master-apps config that is overlooked I'm thinking that a merge won't be an issue.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...