Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Decommission A Site: How to change single site cluster to a two indexer configuration?

molinarf
Communicator
‎03-29-2022 01:51 PM

I am currently needing to change our single site cluster to a two indexer configuration that is peered for ease of maintenance for the next person who replaces me at this site. I currently have 2 indexers, 1 deployment server, 1 cluster/license master and 1 search head. Here is what I need to do.

First - Move all Splunk forwarders to use the second indexer as the deployment server without having to reinstall all the forwarders. I thought that his was as simple as changing the deployment.conf file, but it does not seem to be working. Maybe the cluster master has something?

Second - Remove the indexers from the cluster and delete the cluster from the Cluster Master and break the distributed search.

Third - Change the license server to the first indexer

At this point, I can shut down all servers except the indexer and everything will work.

If there is anyone that can help me, I would greatly appreciate it. I want to do this as quickly and smoothly as possible.

Thank you in advanced.

Robert

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2022 04:46 PM

If you really want to be considerate of your replacement, you'll leave everything as it is.  Spend the time you would have used on breaking the environment and, instead, document what is there and how it works.  Maybe write a few scripts to help out.  I envision a lot may go wrong in such a radical re-architecture and your replacement may be stuck fixing the damage.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

molinarf
Communicator
‎03-29-2022 04:51 PM

I understand what you are saying for me to do, however my customer has asked me to put it back to a simpler configuration. It means changing it back to 2 indexers without the rest of the servers as my replacement will probably not have the knowledge and experience that I have. That is not saying that I have a lot either. That is why I am asking for assistance in doing this. So if there is anyone who can assist me, I would greatly appreciate it.

Robert

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...