For Enterprise deployment planning purposes, is it possible to merge two individual clusters into a single combined cluster?
For a slightly more realistic example, say there were two separate Splunk clusters running in two separate datacenters, but due to some restructuring the two datacenters were being merged. If both sites had their own Splunk cluster with a master node and a handful of peer nodes, would it be possible relocate the peer notes and just connect to a new master node? And if so, how ugly would this get?
Secondly, if you knew about this possibility before either Splunk cluster was deployed, what planning steps would you take to make the process easier down the road? (For example, I'm assuming that having consistent index names between the two clusters would be helpful in this kind of scenario.)
I would also say if you are standing up brand new (which it seems you are not though) it is worth noting that setting the cluster configuration to multisite in the front end 'multisite = true' this will allow you to in the future more easily flip the switch to merge the two and have the Splunk allocate the data across the newly added indexers.
This will allow for you to add the new site and have the data re-balance across the newly linked indexer nodes.
Old topic but the need for this has come up for me recently, did you ever carry this procedure out? would be very interested in the result.
To me it seems like it may not be an issue based on:
If CM02 is removed and the configurations of the two separate clusters are merged (in my case the clusters are already have the same configuration for inputs/indexes etc), the Peers are then pointed to the CM01 and they will report their replication statuses back to their new CM.
Again, in my case the SF and RF factor should already be met so there shouldn't be any remediation needed.
There is also:
So as long as nothing in the server.conf and master-apps config that is overlooked I'm thinking that a merge won't be an issue.