Deployment Architecture

How to configure replication on multisite indexer cluster on Splunk 6.5.2?

New Member

Good evening,

In my company, I tried to install Splunk Enterprise in multisite mode.
I have gone through all the documentation on this subject and I do not understand how it works.

My architecture:
Site 1:
1 master (+ license)
4 indexers (index: sandbox)
1 search head
1 universal forwarder
Site 2:
4 indexers (index : sandbox)

My config site_replication_factor is: origin1; Site1: 1 site2: 1: total: 2 (i tried some config, failure
My objective is to be tolerant to breakdowns (on 1,2,3,4 nodes of the same site).
If I lose a node, replication allows you to continue. It does not work for me.

My process:
T = 0: The FW of the site1 sends the data (index: sandbox on the site1).
T = 1: The data arrives at node 1 of the site1.
T = 3: Site1 sends to node 2 of site2.
I check the volumetry in / var / lib / splunk / sandbox (wath -n 1 of --max-depth = 1.).
The data is deposited on the two nodes 1 (site1) and 2 (site2).
T = 4: On the master interface, "index deployment", I see that node 1 (site1) has 1000 events.
But node 2 (of site2) contains 0 events. Why because I remember that "/var/lib/splunk/sandbox" contains data on node2 (site2) ?
T = 5: I put offline the node1 (of site1). The volumetry of node2 (site2) "/var/lib/splunk/sandbox" decreases and empties in seconds.
Then, the master interface for the bacasable index contains 0 events. No replication.
T = 6: Node 1 is started. It does not go up the 1000 events it contained before being offline.

I do not understand how it works.

Is it possible to replicate data and keep it?
Can you help me set up clustering mode, including site_replication_factor at first?


0 Karma

Ultra Champion

Hello Robin Hearch,
please read this doc carefully and apply process:
your configuration on server.conf in Cluster Master is as follow:

mode = master
# pass4SymmKey = password
multisite = true
available_sites = site1, site2
site_replication_factor = origin:2, total:4
site_search_factor = origin:1,  total:2

this configuration will save 2 copies on your origin site (where data first lands) meaning 1 original and one copy on same site
Also it will send 2 copies to the second site.
it will have 1 searchable copy on each site for search affinity

one last thing, make sure that your indexers has the right configuration in server.conf

site = site<n>

mutlisite = true

Hope it helps

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...