Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How is data replicated in Clustering ?? What Happen if Cluster master goes down ??

krushivasani
Engager
‎01-10-2022 09:31 PM

How is data replicated in Clustering ?? What Happen if Cluster master goes down ??

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-11-2022 02:06 AM

Hi

CM (cluster master) is responsible to coordinate data replication, searches and distribute application bundles for cluster peers node. Also it could (should) use for indexer discovering (who source system UFs known where to send data) or other option is use fixed outputs.conf on UF e.g. via Deployment server.

Data is replicated based on SF (search factor) & RF (replication factor) on single site cluster. On multisite cluster there are also site_replication_factor and site_search_factor which define these over different sites.

More details can found here https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Basicclusterarchitecture

CM tolds to SH (search heads) where those can found searches event by generation information.

What happens when your CM goes down? It depends how active your splunk environment is. Basically CM can be down for some time (hours), as basic feature in cluster don't need that CM is always available. When it's down all other nodes use their current states (e.g. generation list for searches, indexer location information for sending data, other peer information for replicate data). Depending on your cluster activities that time can be shorter or longer (hours) before there will start to be severe issues for it's work. The recommendation is that you should have stand by CM or ability to set it up quickly (within hours) if needed. Basically this means that you must have it's current configurations and apps in some safe place (e.g. your version management system). If/when needed you can build a new CM based on those with same name (I really hope/recommended that you use only fqdn not IP:s on your configurations!).

r. Ismo

0 Karma
Reply

SinghK
Builder
‎01-10-2022 10:07 PM

CM is  responsible for coordination and enforcement of the configured data replication policy. 

 

CM goes down as in restart after patching etc. you have put the CM in maintenance mode for that 

splunk enable maintenance-mode for any activity on cluster or CM enable maintenance mode and disable after activity.

but if its a crash well there too many things that can happen. like if you are using indexer discovery forwarders will stop sending data as CM is the one which is responsible for indexer discovery.

if you are not using indexer discovery and the data will still be ingested but will not get replicated. That's all I can think of now.... 

This link below will help you with more info...

https://docs.splunk.com/Documentation/Splunk/6.4.3/Indexer/Basicclusterarchitecture

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...