I have a Splunk Indexer cluster. The cluster consists of 3 peer nodes, with a replication factor of 3.
My issues are surrounding freezing off old log data.
I need to be able to archive off old logs. The documentation does not give a definitive way to do this with a clustered environment. I would think that since I have a replication factor of 3, each indexer has a complete copy of all the data, and therefore, I would only need to freeze data from one peer node.
If the observation in point 1 is correct, since all configuration should be the same between indexers in a cluster, I don't think I can use the native Splunk config for archiving log data (or can I)?
How have others handled this?
Does anyone have any advice on how to best proceed?
Splunk is smart enough to know its in a cluster and only the "primary" copy of the bucket will be archived. So you don't need to worry about it. Just configure it the same as a non-clustered environment.