Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Doubt in indexer clustering

rahulhari88
Explorer
‎04-21-2025 06:35 PM

Hi

I have a 2 site architecture

Site 1 - 2 indexers, 2 ES SH

Site 2 - 2 indexers, 1ES SH

All of them are in clusters.I wish to have 1 copy per site . What should be my RF and SF? 

Can you also suggest the min rf and sf configuration. 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-21-2025 11:59 PM

Hi @rahulhari88 ,

I don't like to have only on e copy od data for each seite because in tjhis way you need to access both the sites when one Indexert is down.

Anyway, you have to configure in $SPLUNK_HOME/etc/system/local/server.conf of your Cluster Manager:

[clustering]
multisite = true
mode = master
available_sites = site1,site2
site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2
pass4SymmKey = <your_password>

or using CLI:

/opt/splunk/bin/splunk edit cluster-config -mode master -multisite true -site site1 -available_sites = site1,site2 -site_replication_factor origin:1,total:2 -site_search_factor origin:1,total:2 -secret <your_password>

Put attention to the Search Affinity: if you use this option, you reduce the traffic in your network between sites, when one site is down you must use the Search Head of the live site, otherwise you don't see all the data.

Ciao.

Giuseppe

0 Karma
Reply

rahulhari88
Explorer
‎04-22-2025 12:13 AM

Thinking of using this as config , thinking of have RF -4 and SF-3 

[general]
site = site_DC

[clustering]
mode = manager
manager_switchover_mode = auto/manual
manager_uri = clustermanager:cm1,clustermanager:cm2
multisite = true
available_sites = site_DC, site_DR
site_replication_factor = origin:2, site_DC:2, site_DR:2, total:4
site_search_factor = origin:2, site_DC:2, site_DR:1, total:3
replication_factor = 2
pass4SymmKey = <redacted>
cluster_label = abc_idxcluster

[clustermanager:cm1]
manager_uri = https://CM1:8089

[clustermanager:cm2]
manager_uri = https://CM2:8089

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-22-2025 12:19 AM

Hi @rahulhari88 ,

you can use only origin and total:

[general]
site = site_DC

[clustering]
mode = manager
manager_switchover_mode = auto/manual
manager_uri = clustermanager:cm1,clustermanager:cm2
multisite = true
available_sites = site_DC, site_DR
site_replication_factor = origin:2, total:4
site_search_factor = origin:2, total:3
replication_factor = 2
pass4SymmKey = <redacted>
cluster_label = abc_idxcluster

[clustermanager:cm1]
manager_uri = https://CM1:8089

[clustermanager:cm2]
manager_uri = https://CM2:8089

Ciao.

Giuseppe

0 Karma
Reply

rahulhari88
Explorer
‎04-22-2025 12:59 AM

but it says we can @gcusello  use https://docs.splunk.com/Documentation/Splunk/9.4.0/Indexer/Sitereplicationfactor 

rahulhari88_0-1745308755743.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-22-2025 02:04 AM

Hi @rahulhari88 ,

my hint is from the Splunk Cluster Administration Course, probably it's ok also in your way: try it.

Ciao.

Giuseppe

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-21-2025 11:40 PM

Hi

To have 1 copy of each bucket per site in a 2-site indexer cluster, set:

    • Replication Factor (RF): 2
    • Search Factor (SF): 2

This ensures one searchable and one total copy per site.

Minimum configuration: RF and SF must be at least 2 in a multi-site cluster to guarantee one copy per site. Lower values will not provide cross-site redundancy. If you have a SF of 1 then you would be searching cross-site which could add latency and increase the risk of performance issues,

All indexers must be assigned to the correct site in the cluster configuration.

Check out this docs page for more info too: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Multisitearchitecture

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...