Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does indexer cluster replication affect license usage?

geoppspl7
New Member
‎11-23-2016 01:38 PM

For about a week, two of our indexers were not replicating to their slaves - oddly this reduced our license usage by half(p2) and we did not really see any events missing. Once the replication of the two indexes was re-enabled - the usage doubled to our usual levels.

I've raised a case with Splunk support, but I can't really get a straight answer. Essentially, what I would like to know is if we are penalized for every replica?

Heavy Forwarders and Universal forwarders are configured to forward events to both indexers so in theory, if an index is not replicating, we should still ingest logs. [we have two indexers and two large indexes: network and security, so one indexer will hold the primary copy of the index and the other the slave copy]

alt text

Preview file
1 KB
0 Karma
Reply

ddrillic
Ultra Champion
‎11-23-2016 03:17 PM

Obviously, what you observed doesn't make any sense - Managing Indexers and Clusters of Indexers

1: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements -
says -

![alt text][2]

Preview file
1 KB
Preview file
1 KB
Reply

MuS
Legend
‎11-23-2016 03:06 PM

Hi geoppspl7,

I don't know why you cannot get a straight answer, because it is pretty straight forward:

All _raw data that hits any indexer will count against your license.
See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/TypesofSplunklicenses#Licenses_for_indexer_c...

This is important to you:

Only incoming data counts against the license; replicated data does not.
That said, check if

  • you're forwarding the data between the indexers and force it back into the parsing queue (not sure if, but it could get you wired results)
  • check if you're instead of load balancing the events over your two indexers are sending a duplicate stream form the UF's, check your outputs.conf

Hope this helps ...

cheers, MuS

0 Karma
Reply

geoppspl7
New Member
‎11-23-2016 04:24 PM

Hi MuS,

Thank you for your comments.

The indexes.conf on the master(C:\Program Files\Splunk\etc\master-apps_cluster\local) sets "repFactor=auto", which should result in the index's data to be replicated to other peers in the cluster, and I've not come across any other settings.

As far as the outputs.conf is concerned on the universal forwarders - the way I understand this is that we are not cloning data, but merely balancing between the two indexers:

[tcpout:indexers]
disabled=false
autoLBFrequency=40
server=10.250.156.60:9997,10.250.156.61:9997
useACK=true

Similarly the following is the outputs.conf from a heavy forwarder that handles syslog traffic. Here however I don't see useACK - does that mean that if index replica was disabled = some events will not have been indexed and therefore lost?

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://10.250.156.60:9997]

[tcpout:default-autolb-group]
disabled = false
server = 10.250.156.60:9997,10.250.156.61:9997

[tcpout-server://10.250.156.61:9997]
0 Karma
Reply

MuS
Legend
‎11-23-2016 04:36 PM

the outputs.conf of the HWF is cloning the events to 10.250.156.60 and 10.250.156.61 and at the same time using them in a load balanced config......

Just use it like this :

 [tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 autoLBFrequency = 30
 server = 10.250.156.60:9997,10.250.156.61:9997
0 Karma
Reply

geoppspl7
New Member
‎11-23-2016 05:44 PM

I've changed the file as suggested, but having restarted Splunk on that heavy forwarder I don't see any event count decrease. I run "* source="udp:514" index=network | timechart count" which are ingested via that heavy forwarder...

0 Karma
Reply

rvany
Communicator
‎09-29-2019 04:50 AM

This is old - but: do you still think that the shown outputs.conf on th HFW is cloning events? If so, why?

To my knowledge a [tcpout-server:<ipaddr>] stanza could be used for server specific configuration. But that's only in addition to the settings done in a server group, i.e. something like [tcpout:my-1st-indexer-group].

0 Karma
Reply

MuS
Legend
‎11-23-2016 05:56 PM

This was just something I observed - it could have been a reason why things go weird.

This is not everything, but gives you a starting point...

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...