Deployment Architecture

How to configure a multisite indexer clustering environment?

Path Finder

Hi Friends ,

We have to create a multisite indexer clustering environment where Site 1 & Site 2 both will have 2 indexers at each site, overall 4 indexers. Overall 1 Search head will be there with a standby search head. Now I have two questions regarding the same.

  1. While Configuring outputs.conf of the universal forwarder, I want the logs of all the servers at site 1 must only go to site 1 indexers(in HA) and in case of both the indexers fails at site 1 logs should go to the 2 indexers of site 2 . What would be the configuration of site. If I use Auto load balancing and mention all 4 indexers in "server = indexer1:9997,indexer2:9997,Indexer3:9997,indexer4:9997" this will distribute logs in all of them. How could I use TCP_Routing in this scenario and what would be the outputs.conf file final configuration?

  2. To enable multisite clustering between Site1 & Site 2, what would be the server.conf file stanzas in the indexers of site1 & Site 2 ?

Thanks in advance ..

Splunk Employee
Splunk Employee

Overview about multisite clustering and sample configuration can be found here

http://docs.splunk.com/Documentation/Splunk/6.2.3/Indexer/Multisiteconffile

Regarding, forwarders switching to different sites, the procedure is manual for now.

0 Karma

Path Finder

Hi Mahamed ,

Thanks for your response .

For forwarder switching should we go for auto load balancing then ?

What would be the ideal output.conf config of the universal forwarder ?

0 Karma