Solved: Help on Splunk deployment plan

jg91 · ‎12-30-2019

Hello friends,
We want to deploy splunk in a new site and we have 2 powerful server with SSD storage, We need to have data high availability and our current plan is to install one indexer on each server and use 1 Heavy Forwarder on 3rd server to send data to both indexers.
Is this plan good enough or there is a better plan like using indexer clustering and install cluster master on 3rd server?
Please share your suggestions with me about deployment architecture with 2 server.
Thanks,

richgalloway · ‎12-31-2019

Use an indexer cluster to replicate your data.

Forcing a HF to send data to two indexers creates more problems than it solves. Your license will be hit twice. Your searches will return duplicate results. Any failure to connect to indexer (like during maintenance) means your data is no longer in two places. Clustering resolves all of these issues.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-31-2019

Use an indexer cluster to replicate your data.

Forcing a HF to send data to two indexers creates more problems than it solves. Your license will be hit twice. Your searches will return duplicate results. Any failure to connect to indexer (like during maintenance) means your data is no longer in two places. Clustering resolves all of these issues.

---
If this reply helps you, Karma would be appreciated.

jg91 · ‎01-03-2020

Thank you, I used your solution.

Help on Splunk deployment plan

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases