Deployment Architecture

How can I configure indexes to replicate data with each other in a Splunk deployment?

rashid47010
Communicator

Hi everyone
I am planning to create a Splunk lab.
I want
2 Forwarders- who will receive the logs from multiple sources(windows, UNIX, log files, etc)
2 indexers who are you replicating data with each other

One search head.

For forwards high availability I configure both indexers IP’s in output.conf file in both Forwarders.

Q-Now how can I configure indexes to replicate data with each other?

0 Karma
1 Solution

adonio
Ultra Champion

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

View solution in original post

adonio
Ultra Champion

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

ssadanala1
Contributor

Hi

Configure your SH to search thru both indexers.

Thats will be the best shot for dev . environment

rashid47010
Communicator

how can I accept your answer

0 Karma

rashid47010
Communicator

@ssadanala1
thanks.
it is helpful to understand basic concept.

0 Karma

ssadanala1
Contributor

Hi,

You can configure your SH to search through both indexers .

That will be the best shot in this scenario

0 Karma

p_gurav
Champion

you can configure indexer clustering. Refer below docs:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Aboutclusters

0 Karma

rashid47010
Communicator

hi
thanks for your kind reply.
I believe that I need another server as index cluster.
I am limited with resources.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Don't cluster your indexers until you have 3 indexers and 1 cluster master available

0 Karma

p_gurav
Champion

This is not best practice, but you can make your search head as cluster master and then configure indexer clustering, as you have limited resources.

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

More than "not best practice", using a search head as the cluster master is not supported. See http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Systemrequirements#Required_Splunk_Enterpr...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...