Deployment Architecture

How to configure my indexer cluster to only replicate my custom index data, not Splunk internal indexes?

saifuddin9122
Path Finder

Hello

I have an indexer cluster setup which is successfully UP and replicating on to the other nodes, but the problem is the internal indexes are also getting replicated. I don't want to replicate those indexes. I just want to replicate my custom index.

0 Karma
1 Solution

shaskell_splunk
Splunk Employee
Splunk Employee

You need to look at the indexes.conf settings and make sure that for any index you don't want replicated this is not set to anything other than 0.

repFactor = |auto
 \* Only relevant if this instance is a clustering slave (but see note about
  "auto" below).
 \* See server.conf spec for details on clustering configuration.
 \* Value of 0 turns off replication for this index.
 \* If set to "auto", slave will use whatever value the master has.
 \* Highest legal value is 4294967295
 \* Defaults to 0.

View solution in original post

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

You need to look at the indexes.conf settings and make sure that for any index you don't want replicated this is not set to anything other than 0.

repFactor = |auto
 \* Only relevant if this instance is a clustering slave (but see note about
  "auto" below).
 \* See server.conf spec for details on clustering configuration.
 \* Value of 0 turns off replication for this index.
 \* If set to "auto", slave will use whatever value the master has.
 \* Highest legal value is 4294967295
 \* Defaults to 0.
0 Karma

saifuddin9122
Path Finder

Thanks for your answers.
i am still with little bit confusion.. are you telling me to change the repFactor to 0 in indexes.conf (etc/system/default)

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

No, definitely not! You never touch configs in etc/system/default. You always override configs in the local folder or within an app.

A clustered environment is much more complex in its configuration than its non-clustered counterpart. I suggest you read the docs on how to setup indexes and distribute configs in a clustered environment.

If you're not comfortable with doing any of this I'd suggest opening a ticket with Splunk support.

saifuddin9122
Path Finder

Thanks for you suggestion.

your answers helped me

0 Karma

ppablo
Retired

Hi @saifuddin9122

If @shaskell solved your question, please don't forget to resolve the post by clicking "Accept" directly below the answer, and upvote the answer and/or comments that were helpful.

Cheers

Patrick

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

You're welcome! Happy to help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...