Deployment Architecture

Clarification on Clustering & Index Replication

rturk
Builder

Hi All,

In reading a recently posted (16 Oct 2013) Splunk blog post "Clustering Optimizations in Splunk 6", the following was mentioned:

In the previous Splunk 5 version, users will not be able to search and
use the cluster until the cluster master ensures that all of the
replication policies are met. In some cases, this might take long time and
users are unnecessarily blocked until then.

Should I take this to mean that in v5, functional Index replication & searchability is only possible when you have n+1 indexers (where n is the index replication factor)? For example, if I have two indexers, and have set an index replication & searchability factor of two, this won't actually work as expected (i.e. full data availability in the event of a single indexer failure).

Any input is appreciated 🙂

mahamed_splunk
Splunk Employee
Splunk Employee

For example, if I have two indexers, and have set an index replication & searchability factor of two, this won't actually work as expected

No, If your replication policy is set to 2 and you have 2 indexers available, then your policy is already met, so users will be able to access and search the data.

rashid47010
Communicator

Hi
I have two index instances and one seach head
Now i want to configure replication and failover between these teo indexers.
How can i achieve this ?

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

Got it. Even if only one indexer is available, the data will continue to be available and searchable. The optimization the blog post talks about is the order in which we fix indexes and commit generations.

rturk
Builder

Hi Mahamed - I understand that if both of my indexers are available it will work, my question concerns the platform behaviour if one indexer has failed (e.g. "work as expected (i.e. full data availability in the event of a single indexer failure)."

0 Karma

rturk
Builder

FYI I have logged a support case for this and will report back with any findings.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...