Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure my indexer cluster to only replicate my custom index data, not Splunk internal indexes?

saifuddin9122
Path Finder
‎06-22-2016 08:20 AM

Hello

I have an indexer cluster setup which is successfully UP and replicating on to the other nodes, but the problem is the internal indexes are also getting replicated. I don't want to replicate those indexes. I just want to replicate my custom index.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

shaskell_splunk
Splunk Employee
Splunk Employee
‎06-22-2016 09:22 AM

You need to look at the indexes.conf settings and make sure that for any index you don't want replicated this is not set to anything other than 0.

repFactor = |auto
 \* Only relevant if this instance is a clustering slave (but see note about
  "auto" below).
 \* See server.conf spec for details on clustering configuration.
 \* Value of 0 turns off replication for this index.
 \* If set to "auto", slave will use whatever value the master has.
 \* Highest legal value is 4294967295
 \* Defaults to 0.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

shaskell_splunk
Splunk Employee
Splunk Employee
‎06-22-2016 09:22 AM

You need to look at the indexes.conf settings and make sure that for any index you don't want replicated this is not set to anything other than 0.

repFactor = |auto
 \* Only relevant if this instance is a clustering slave (but see note about
  "auto" below).
 \* See server.conf spec for details on clustering configuration.
 \* Value of 0 turns off replication for this index.
 \* If set to "auto", slave will use whatever value the master has.
 \* Highest legal value is 4294967295
 \* Defaults to 0.
0 Karma
Reply
Solved! Jump to solution

saifuddin9122
Path Finder
‎06-22-2016 09:41 AM

Thanks for your answers.
i am still with little bit confusion.. are you telling me to change the repFactor to 0 in indexes.conf (etc/system/default)

0 Karma
Reply
Solved! Jump to solution

shaskell_splunk
Splunk Employee
Splunk Employee
‎06-22-2016 09:52 AM

No, definitely not! You never touch configs in etc/system/default. You always override configs in the local folder or within an app.

A clustered environment is much more complex in its configuration than its non-clustered counterpart. I suggest you read the docs on how to setup indexes and distribute configs in a clustered environment.

If you're not comfortable with doing any of this I'd suggest opening a ticket with Splunk support.

Reply
Solved! Jump to solution

saifuddin9122
Path Finder
‎06-22-2016 09:58 AM

Thanks for you suggestion.

your answers helped me

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎06-22-2016 01:12 PM

Hi @saifuddin9122

If @shaskell solved your question, please don't forget to resolve the post by clicking "Accept" directly below the answer, and upvote the answer and/or comments that were helpful.

Cheers

Patrick

0 Karma
Reply
Solved! Jump to solution

shaskell_splunk
Splunk Employee
Splunk Employee
‎06-22-2016 10:01 AM

You're welcome! Happy to help.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...