Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Decommissioning Old Site, Transitioning to Single Site

Sivrat
Path Finder
‎09-30-2021 01:56 PM

I have a multi-site cluster, and am planning on decommissioning one to transform it into a single-site cluster.

Looking over these two guides:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Indexer/Decommissionasite

https://docs.splunk.com/Documentation/Splunk/8.1.2/Indexer/Converttosinglesite

And trying to see how to do both, preferably at the same time.

When converting to a single-site, it states to stop the entire cluster, update the configurations, then start the cluster back up.

Is there any issue with doing the configurations changes necessary for decommissioning the old site while everything is offline, and only bringing up the remaining site?

Basically, current plan is:

  1. Stop all nodes
  2. Update the Manager Configs
    1. Set multi-site to false
    2. Set single site search/rep factors
    3. Remove site attribute
    4. Remove available_sites attribute/site mappings
  3. Update Search Head Configs
    1. Set multi-site to false
    2. Remove site attribute
  4. Start nodes that are remaining from new site

Would this work, or would it cause conflicts in replication somehow? Do I need to use Splunk commands on the cluster manager to remove the old indexers?

0 Karma
Reply

trashyroadz
Splunk Employee
Splunk Employee
‎04-09-2023 04:21 PM

Quite some time has passed since this question was posted, but a similar question came up today...

Most likely, the processes need to remain separate so the CM can cleanly update journal.gz on all decommissioned site indexers to the site they are moving to, and to allow the CM to meet SF/RF on the remaining site before changing it to a single-site cluster. This assumes you set the remaining site's SF/RF to be identical to what it would be when it becomes single-site.

If this process CAN be combined, I suspect it is possible if site_mappings attribute in CM's server.conf was not removed, but instead updated to <decommissioned_site_id>:<remaining_site_id>.

site_mappings = site2:site1

When the CM comes back up, it will very quickly update journal.gz on all site2 indexers so the buckets are assigned to site1.

Assuming of course the cluster was placed into Maintenance Mode during this process, as doing so will keep the CM from initiating unnecessary fix-up tasks. 

-- now that's Trashy!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...