How to replicate or have a copy of index in two di...

RAVISHANKAR · ‎10-15-2024

Currently I am having a Splunk Indexer with multiple Indexes and a Search Head.

I would like to have one or two indexes to be available in two splunk indexer and data should be available to access from Search Head from both Indexer.

Thanks

gcusello · ‎10-15-2024

Hi @RAVISHANKAR ,

the best approach is to create an Indexer Cluster that automatically replicate indexes between Indexers, but it requests an additional machine as Cluster Manager, in this way you have HA on your data and you don't pay twice the indexed logs.

Otherwise, you could forward logs to the two Indexers: in this way you pay twice the logs and you don't have HA, but you don't need an additional machine.

Ciao.

Giuseppe

PickleRick · ‎10-15-2024

That's something you normally achieve by deploying an indexer cluster.

There is a possibility to migrate a standalone indexer to a clustered setup but it requires some careful planning and is usually best done with help from Professional Services or your friendly local experienced Splunk Partner to work out all the architectural details and plan the whole process.

How to replicate or have a copy of index in two different Splunk Indexer located in different place.

forwarder

indexing performance

proactive Splunk component monitoring

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation