In my company, I tried to install Splunk Enterprise in multisite mode.
I have gone through all the documentation on this subject and I do not understand how it works.
1 master (+ license)
4 indexers (index: sandbox)
1 search head
1 universal forwarder
4 indexers (index : sandbox)
My config sitereplicationfactor is: origin1; Site1: 1 site2: 1: total: 2 (i tried some config, failure
My objective is to be tolerant to breakdowns (on 1,2,3,4 nodes of the same site).
If I lose a node, replication allows you to continue. It does not work for me.
T = 0: The FW of the site1 sends the data (index: sandbox on the site1).
T = 1: The data arrives at node 1 of the site1.
T = 3: Site1 sends to node 2 of site2.
I check the volumetry in / var / lib / splunk / sandbox (wath -n 1 of --max-depth = 1.).
The data is deposited on the two nodes 1 (site1) and 2 (site2).
T = 4: On the master interface, "index deployment", I see that node 1 (site1) has 1000 events.
But node 2 (of site2) contains 0 events. Why because I remember that "/var/lib/splunk/sandbox" contains data on node2 (site2) ?
T = 5: I put offline the node1 (of site1). The volumetry of node2 (site2) "/var/lib/splunk/sandbox" decreases and empties in seconds.
Then, the master interface for the bacasable index contains 0 events. No replication.
T = 6: Node 1 is started. It does not go up the 1000 events it contained before being offline.
I do not understand how it works.
Is it possible to replicate data and keep it?
Can you help me set up clustering mode, including sitereplicationfactor at first?
this configuration will save 2 copies on your origin site (where data first lands) meaning 1 original and one copy on same site
Also it will send 2 copies to the second site.
it will have 1 searchable copy on each site for search affinity
one last thing, make sure that your indexers has the right configuration in server.conf
site = site<n>
mutlisite = true