Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cluster replication and licensing

pil321
Communicator
‎02-06-2014 11:36 AM

I currently have a cluster deployed in a test environment (replication factor of 2). I've been reading some of the posts here dealing with clusters and licensing, specifically the impact that 2 indexers would have on licensing.

I've read that replicating the data would have no impact on the license, but when I look at the "licensing" information on the master, I see that both indexers are being tallied against the daily volume.

Is there a way to change this behavior?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pil321
Communicator
‎02-08-2014 07:46 AM

kudos to martin_mueller for answering this question (see comments section).

View solution in original post

Reply
Solved! Jump to solution
Solution

pil321
Communicator
‎02-08-2014 07:46 AM

kudos to martin_mueller for answering this question (see comments section).

Reply
Solved! Jump to solution

pil321
Communicator
‎02-08-2014 07:44 AM

I see. Thank you for your reply. That makes it much clearer on my end.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 05:16 AM

You should see the same daily volume, regardless of the number of indexers and the search/replication factors... provided you don't do data cloning before indexing.

Each indexer indexes half the data, and then replicates the indexed data to its sibling indexer - that's where the fault tolerance is covered. The replication data is not tallied against the daily licensing volume because it's not re-indexed.

Reply
Solved! Jump to solution

pil321
Communicator
‎02-07-2014 04:50 AM

So, if I had only one indexer (not a cluster, no load-balancing), I would see the same daily volume?

If each indexer in a cluster has half the data, I don't understand how this would work for fault tolerance (but I guess that is a bit off topic).

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-06-2014 12:30 PM

Both indexers are tallying against the daily volume, that's correct - for the data they receive from forwarders/inputs. Usually each indexer gets roughly half the data, and both halves are counted just like in a non-clustered load-balancing set of indexers.

If you're seeing replication volume appear in there on top of indexing volume then something is seriously wrong... could you provide more background info?

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...