Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Doubt in indexer clustering

rahulhari88
Explorer
4 weeks ago

Hi

I have a 2 site architecture

Site 1 - 2 indexers, 2 ES SH

Site 2 - 2 indexers, 1ES SH

All of them are in clusters.I wish to have 1 copy per site . What should be my RF and SF? 

Can you also suggest the min rf and sf configuration. 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @rahulhari88 ,

I don't like to have only on e copy od data for each seite because in tjhis way you need to access both the sites when one Indexert is down.

Anyway, you have to configure in $SPLUNK_HOME/etc/system/local/server.conf of your Cluster Manager:

[clustering]
multisite = true
mode = master
available_sites = site1,site2
site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2
pass4SymmKey = <your_password>

or using CLI:

/opt/splunk/bin/splunk edit cluster-config -mode master -multisite true -site site1 -available_sites = site1,site2 -site_replication_factor origin:1,total:2 -site_search_factor origin:1,total:2 -secret <your_password>

Put attention to the Search Affinity: if you use this option, you reduce the traffic in your network between sites, when one site is down you must use the Search Head of the live site, otherwise you don't see all the data.

Ciao.

Giuseppe

0 Karma
Reply

rahulhari88
Explorer
4 weeks ago

Thinking of using this as config , thinking of have RF -4 and SF-3 

[general]
site = site_DC

[clustering]
mode = manager
manager_switchover_mode = auto/manual
manager_uri = clustermanager:cm1,clustermanager:cm2
multisite = true
available_sites = site_DC, site_DR
site_replication_factor = origin:2, site_DC:2, site_DR:2, total:4
site_search_factor = origin:2, site_DC:2, site_DR:1, total:3
replication_factor = 2
pass4SymmKey = <redacted>
cluster_label = abc_idxcluster

[clustermanager:cm1]
manager_uri = https://CM1:8089

[clustermanager:cm2]
manager_uri = https://CM2:8089

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @rahulhari88 ,

you can use only origin and total:

[general]
site = site_DC

[clustering]
mode = manager
manager_switchover_mode = auto/manual
manager_uri = clustermanager:cm1,clustermanager:cm2
multisite = true
available_sites = site_DC, site_DR
site_replication_factor = origin:2, total:4
site_search_factor = origin:2, total:3
replication_factor = 2
pass4SymmKey = <redacted>
cluster_label = abc_idxcluster

[clustermanager:cm1]
manager_uri = https://CM1:8089

[clustermanager:cm2]
manager_uri = https://CM2:8089

Ciao.

Giuseppe

0 Karma
Reply

rahulhari88
Explorer
4 weeks ago

but it says we can @gcusello  use https://docs.splunk.com/Documentation/Splunk/9.4.0/Indexer/Sitereplicationfactor 

rahulhari88_0-1745308755743.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @rahulhari88 ,

my hint is from the Splunk Cluster Administration Course, probably it's ok also in your way: try it.

Ciao.

Giuseppe

0 Karma
Reply

livehybrid
Super Champion
4 weeks ago

Hi

To have 1 copy of each bucket per site in a 2-site indexer cluster, set:

    • Replication Factor (RF): 2
    • Search Factor (SF): 2

This ensures one searchable and one total copy per site.

Minimum configuration: RF and SF must be at least 2 in a multi-site cluster to guarantee one copy per site. Lower values will not provide cross-site redundancy. If you have a SF of 1 then you would be searching cross-site which could add latency and increase the risk of performance issues,

All indexers must be assigned to the correct site in the cluster configuration.

Check out this docs page for more info too: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Multisitearchitecture

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...