Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does indexer cluster replication affect license usage?

geoppspl7
New Member
‎11-23-2016 01:38 PM

For about a week, two of our indexers were not replicating to their slaves - oddly this reduced our license usage by half(p2) and we did not really see any events missing. Once the replication of the two indexes was re-enabled - the usage doubled to our usual levels.

I've raised a case with Splunk support, but I can't really get a straight answer. Essentially, what I would like to know is if we are penalized for every replica?

Heavy Forwarders and Universal forwarders are configured to forward events to both indexers so in theory, if an index is not replicating, we should still ingest logs. [we have two indexers and two large indexes: network and security, so one indexer will hold the primary copy of the index and the other the slave copy]

alt text

Preview file
1 KB
0 Karma
Reply

ddrillic
Ultra Champion
‎11-23-2016 03:17 PM

Obviously, what you observed doesn't make any sense - Managing Indexers and Clusters of Indexers

1: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements -
says -

![alt text][2]

Preview file
1 KB
Preview file
1 KB
Reply

MuS
Legend
‎11-23-2016 03:06 PM

Hi geoppspl7,

I don't know why you cannot get a straight answer, because it is pretty straight forward:

All _raw data that hits any indexer will count against your license.
See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/TypesofSplunklicenses#Licenses_for_indexer_c...

This is important to you:

Only incoming data counts against the license; replicated data does not.
That said, check if

  • you're forwarding the data between the indexers and force it back into the parsing queue (not sure if, but it could get you wired results)
  • check if you're instead of load balancing the events over your two indexers are sending a duplicate stream form the UF's, check your outputs.conf

Hope this helps ...

cheers, MuS

0 Karma
Reply

geoppspl7
New Member
‎11-23-2016 04:24 PM

Hi MuS,

Thank you for your comments.

The indexes.conf on the master(C:\Program Files\Splunk\etc\master-apps_cluster\local) sets "repFactor=auto", which should result in the index's data to be replicated to other peers in the cluster, and I've not come across any other settings.

As far as the outputs.conf is concerned on the universal forwarders - the way I understand this is that we are not cloning data, but merely balancing between the two indexers:

[tcpout:indexers]
disabled=false
autoLBFrequency=40
server=10.250.156.60:9997,10.250.156.61:9997
useACK=true

Similarly the following is the outputs.conf from a heavy forwarder that handles syslog traffic. Here however I don't see useACK - does that mean that if index replica was disabled = some events will not have been indexed and therefore lost?

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://10.250.156.60:9997]

[tcpout:default-autolb-group]
disabled = false
server = 10.250.156.60:9997,10.250.156.61:9997

[tcpout-server://10.250.156.61:9997]
0 Karma
Reply

MuS
Legend
‎11-23-2016 04:36 PM

the outputs.conf of the HWF is cloning the events to 10.250.156.60 and 10.250.156.61 and at the same time using them in a load balanced config......

Just use it like this :

 [tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 autoLBFrequency = 30
 server = 10.250.156.60:9997,10.250.156.61:9997
0 Karma
Reply

geoppspl7
New Member
‎11-23-2016 05:44 PM

I've changed the file as suggested, but having restarted Splunk on that heavy forwarder I don't see any event count decrease. I run "* source="udp:514" index=network | timechart count" which are ingested via that heavy forwarder...

0 Karma
Reply

rvany
Communicator
‎09-29-2019 04:50 AM

This is old - but: do you still think that the shown outputs.conf on th HFW is cloning events? If so, why?

To my knowledge a [tcpout-server:<ipaddr>] stanza could be used for server specific configuration. But that's only in addition to the settings done in a server group, i.e. something like [tcpout:my-1st-indexer-group].

0 Karma
Reply

MuS
Legend
‎11-23-2016 05:56 PM

This was just something I observed - it could have been a reason why things go weird.

This is not everything, but gives you a starting point...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...