Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Distributed Deployment: Splunk data replication

MHibbin
Influencer
‎05-19-2012 09:37 AM

Hi,

I have a question with a distributed deployment...

If a deployment was set-up to have for example:

  • 2 x Indexers
  • n x Forwarders (set-up to autoLb between the indexers)
  • 1 x Search Head

The autoLB will forward data to the Splunk indexers in a cycle based on time.What happens to the visibility of data if one of the Indexers was to become inactive (e.g. a system failure, etc). I would imagine that Splunk would be able to view ~half of the data, is this assumption correct?

How would data replication between the Indexers take place? - If the there is a requirement for the data to remain 100% visible, what would be best to achieve this?

I'm sure I have come across guidelines on data replication between two indexers in past notes/discussions/Splunk documentation. But I am not able to find the justification I require.

Are there any thoughts on documentation or sources of information that would be useful?

Any thoughts welcome, thanks in advance.

Regards,

MHibbin

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-19-2012 10:13 AM

You are correct that if one indexer is out, only half the data will be visible, though the search head will report that it is unable to reach all indexers.

In the current version, there is no native replication of data. You will have to do this either using the underlying storage to replicate, or by forwarding from indexer to a replica instance. Both have disadvantages relative to the other. In addition, there is no built-in mechanism for failover, so you would have to implement this yourself. These solutions are not entirely simple to implement correctly and robustly. An overview of this is here: http://docs.splunk.com/Documentation/Splunk/4.3.2/Installation/Highavailabilityreferencearchitecture

In future versions, you may expect some form of built-in replication, as well as a more automated built-in failover, that should be preferable to these other methods.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-19-2012 10:13 AM

You are correct that if one indexer is out, only half the data will be visible, though the search head will report that it is unable to reach all indexers.

In the current version, there is no native replication of data. You will have to do this either using the underlying storage to replicate, or by forwarding from indexer to a replica instance. Both have disadvantages relative to the other. In addition, there is no built-in mechanism for failover, so you would have to implement this yourself. These solutions are not entirely simple to implement correctly and robustly. An overview of this is here: http://docs.splunk.com/Documentation/Splunk/4.3.2/Installation/Highavailabilityreferencearchitecture

In future versions, you may expect some form of built-in replication, as well as a more automated built-in failover, that should be preferable to these other methods.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...