Deployment Architecture

Decommission A Site: How to change single site cluster to a two indexer configuration?

molinarf
Communicator

I am currently needing to change our single site cluster to a two indexer configuration that is peered for ease of maintenance for the next person who replaces me at this site. I currently have 2 indexers, 1 deployment server, 1 cluster/license master and 1 search head. Here is what I need to do.

First - Move all Splunk forwarders to use the second indexer as the deployment server without having to reinstall all the forwarders. I thought that his was as simple as changing the deployment.conf file, but it does not seem to be working. Maybe the cluster master has something?

Second - Remove the indexers from the cluster and delete the cluster from the Cluster Master and break the distributed search.

Third - Change the license server to the first indexer

At this point, I can shut down all servers except the indexer and everything will work.

If there is anyone that can help me, I would greatly appreciate it. I want to do this as quickly and smoothly as possible.

Thank you in advanced.

Robert

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you really want to be considerate of your replacement, you'll leave everything as it is.  Spend the time you would have used on breaking the environment and, instead, document what is there and how it works.  Maybe write a few scripts to help out.  I envision a lot may go wrong in such a radical re-architecture and your replacement may be stuck fixing the damage.

---
If this reply helps you, Karma would be appreciated.
0 Karma

molinarf
Communicator

I understand what you are saying for me to do, however my customer has asked me to put it back to a simpler configuration. It means changing it back to 2 indexers without the rest of the servers as my replacement will probably not have the knowledge and experience that I have. That is not saying that I have a lot either. That is why I am asking for assistance in doing this. So if there is anyone who can assist me, I would greatly appreciate it.

Robert

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...