Deployment Architecture

Decommission A Site: How to change single site cluster to a two indexer configuration?

molinarf
Communicator

I am currently needing to change our single site cluster to a two indexer configuration that is peered for ease of maintenance for the next person who replaces me at this site. I currently have 2 indexers, 1 deployment server, 1 cluster/license master and 1 search head. Here is what I need to do.

First - Move all Splunk forwarders to use the second indexer as the deployment server without having to reinstall all the forwarders. I thought that his was as simple as changing the deployment.conf file, but it does not seem to be working. Maybe the cluster master has something?

Second - Remove the indexers from the cluster and delete the cluster from the Cluster Master and break the distributed search.

Third - Change the license server to the first indexer

At this point, I can shut down all servers except the indexer and everything will work.

If there is anyone that can help me, I would greatly appreciate it. I want to do this as quickly and smoothly as possible.

Thank you in advanced.

Robert

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you really want to be considerate of your replacement, you'll leave everything as it is.  Spend the time you would have used on breaking the environment and, instead, document what is there and how it works.  Maybe write a few scripts to help out.  I envision a lot may go wrong in such a radical re-architecture and your replacement may be stuck fixing the damage.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

molinarf
Communicator

I understand what you are saying for me to do, however my customer has asked me to put it back to a simpler configuration. It means changing it back to 2 indexers without the rest of the servers as my replacement will probably not have the knowledge and experience that I have. That is not saying that I have a lot either. That is why I am asking for assistance in doing this. So if there is anyone who can assist me, I would greatly appreciate it.

Robert

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...