Deployment Architecture
Highlighted

How do I ensure indexed data stays in the local area in which it was indexed?

Communicator

I have a distributed clustered environment with (1) search head, (2) indexer nodes clustered together, (1) master node, and (1) deployment server at location A. At location B I have (1) search head and (2) indexer nodes that are also clustered together. I want to minimize the mount of traffic sent between the (2) sites as much as possible.

My server.conf file configuration on my masternode at location A is set as follows:

[clustering]
accessloggingforheartbeats = 1
cluster
label = SplunkCluster
max
peerbuildload = 5
mode = master
pass4SymmKey = afadfgsdfgsdfgsgf
availablesites = site1,site2
site
replicationfactor = origin:2,total:3
site
searchfactor = origin:1.total:2
multisite = true
heartbeat
timeout = 180

[general]
pass4SymmKey = dfasfdasdgdasfasdgsd
serverName = splunk4
site = site1
allowRemoteLogin = always

My server.conf file configuration on my search head at location A is set as follows:

[clustering]
accessloggingforheartbeats = 1
cluster
label = SplunkCluster
master
uri = https://splunk4:8089
maxpeerbuildload = 5
mode = searchhead
multisite = true
pass4SymmKey = lajfaqwjpo24j[w
search
factor = 2

[general]
pass4SymmKey = ;dnkhewiopaj[rjo
serverName = splunk1
site = site1

My server.conf file configuration for indexer #1 at location A is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = sdjfl;asjhiopaejfasd

[general]
pass4SymmKey = ;kdjfkl;asj;djafj
serverName = splunk2
site = site 1

My server.conf file configuration for indexer #2 at location A is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = jkljhljkhlhujh

[general]
pass4SymmKey = jhljkhkljhiouhoi
serverName = splunk3
site = site 1

My server.conf file configuration on my search head at location B is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = searchhead
pass4SymmKey = jal;kjl;ajjfoijope
multisite = true

[general]
pass4SymmKey = ;kljakjdfl;ajfioewj
serverName = splunk6
site = site2

My server.conf file configuration for indexer #1 at location B is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = jal;kjl;ajjfoijope

[general]
pass4SymmKey = ljlkjl;j;ljl;jdk;lkas
serverName = splunk7
site = site2

My server.conf file configuration for indexer #2 at location B is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = dasdfafdasfdaf

[general]
pass4SymmKey = fsdgdfgsdgf
serverName = splunk8
site = site2

Will the configs outlined above allow that or am I missing something.

Thanks,
Tom Forbes

0 Karma
Highlighted

Re: How do I ensure indexed data stays in the local area in which it was indexed?

SplunkTrust
SplunkTrust

Multi-site search affinity should work automatically as long as you have a searchable copy of the data at the same site. So that much should be good without going to extra steps as long as the indexers are configured correctly.

Adding site_search_factor = origin:1.total:2 as you have should take care of at least having one searchable copy of data at each site, so in case of network problem or indexer failure you'll still be able to search. (In those emergencies you may search across sites).

So, on to your multi-site indexer cluster settings. You've set site_replication_factor = origin:2,total:3 with two sites that appear to be correctly set up with two indexers each. So, wherever the data originates (either site1 or site2) will get two copies - matching your two indexers - and the "other" site will get one more copy to bring it up to 3 total copies.

In my eyes the multi-site stuff looks correct to accomplish your goals. The rest of the config I'm less an expert on but it doesn't look wrong.

Does that help?

0 Karma