I need to install multiple instances of Splunk 6.4 on a single Linux server. For example, I would like to know how I can set up 4 indexers on a single instance. This is not for production, merely to test out clustering in DEV. Could you please point me to the documentation? Thank you.
Well, the documentation says that each node in an indexer cluster must be on a separate instance, and that each instance must run on a separate machine or virtual machine. See System requirements and other deployment considerations for indexer clusters in the Managing Indexers and Clusters of Indexers manual. So if you want to set up multiple VMs on your single server, you could do it that way.
Thanks ChrisG. I took the Clustering class this week and the instructor had a single VM that hosted 4 indexers. And another VM hosted 4 search heads - both of these clustered.
For DEVELOPMENT purposes I want to setup something similar. I found a document in splunk community wiki but it was written in 2013. I was wondering if perhaps there was a newer version.
You should be just fine with multiple instances on the same server for development and it makes perfect sense. You "just" need to administer the ports and the file system carefully. After all, the software needs a couple of ports open and certain areas in the file systems - nothing too complex.
Usually for this sort of things you won't find an official document, which is unfortunate.
So if you have multiple indexers on the same box as part of the same cluster... How will they all bind to the same port?
With multiple network cards or IP addys it's possible I believe... or in virtual box it would be possible if you're using a virtual switch.
Otherwise you can't bind to same port on the same IP.
You can also run more than one Splunk instance on a box specifying different port numbers for each install but then you can't cluster them together.
5000,6000,7000,8000 and so on. Just note that Splunk binds to an IP and Port and once bound, nothing else can open that port on that IP.
You can add hundreds even thousands+ of IPs to one NIC in windows and linux.
Splunk is not designed to run multiple instances. That doesn't mean you can't. But it is unecessary hard work when there are so many ways to just virtualise.
Have you looked at the possibility of using Docker to achieve what you are looking for?
Using Docker you should be able to create a private network with multiple instances of Splunk Enterprise to create a mini Index Cluster.
I can double this.
Or another approach, create 4 small VM's on your PC/Laptop with each having 1vCPU and 256Mb RAM (Which is completely out of range in regards of system specs!) and you can run your DEV / QATEST cluster this way.
I know this works perfect, because I run a cluster like this on my MacBook 😉
seeing as how there isn't any documentation on this subject other than what you may have already found... Can you let us know how we could answer your question short of writing a document for you?
Thanks.. I was able to create a DEV environment with 2 servers in a cluster environment with indexer replication....
1 server has separate instances for:
- cluster master
- deployment server
- and 2 search heads
1 server has 2 separate indexers instances...
The .conf files that need to be changed to support multiple instances are :
All in the /etc/system/local directory. All the above instances are license slaves, with License Master sitting on another dedicated server.