I have a multisite Indexer Cluster and Search Head Cluster and I want to identify what is the volume of data being replicated/sent over the WAN between each host, what would be the best way to do this?
I use this to track indexer replication traffic between my two sites:
index=_internal (host=indexer*) (destIp="10.xx.xx.xx" OR destIp="10.yy.yy.yy") sourcetype=splunkd destPort=9887 | timechart span=15m avg(tcp_KBps)
View solution in original post
Is there a search that can be run to identify replicated data size and how often this happens? I need a volumetric profile of our WAN load.
Bulk of the data replication will be between indexer's and that will depend on the RF and SF and indexing rate
both are 2.
Indexer 1 = Site 1 Indexer 2 = Site 2 Search Head 1 = Site 1 Search Head 2 = Site 1 Search Head 3 = Site 2
