Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I have a Splunk Enterprise Search Head in a Production and a second one in a Non-Prod environment. Any best practices fo

adnankhan5133
Communicator
‎07-02-2020 02:13 PM

The search head in the Non-Prod environment will not be active and would only be turned on in the event of a disaster where the Production SH is down.

I was thinking about enabling an rsync between both search heads so that the conf. files and knowledge objects from the Prod SH are regularly synced over to the Non-Prod SH. Does anyone have any suggestions or better approaches?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-02-2020 08:20 PM

Rsync will work fine for this. Be cautious around the GUIDs of the SH, if you bring production back up while the DR is running you can have some potential issues. You could change this easily enough and not sync this config file.

If you're syncing KOs, why no use GIT or similar repo control. This is what most companies are doing now these days. It's a lot easier for granular control of what you replicate across, not to mention the benefits of version control/tracking. 

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-02-2020 08:20 PM

Rsync will work fine for this. Be cautious around the GUIDs of the SH, if you bring production back up while the DR is running you can have some potential issues. You could change this easily enough and not sync this config file.

If you're syncing KOs, why no use GIT or similar repo control. This is what most companies are doing now these days. It's a lot easier for granular control of what you replicate across, not to mention the benefits of version control/tracking. 

Reply
Solved! Jump to solution

adnankhan5133
Communicator
‎07-09-2020 01:04 PM

If the Production SH went down, how would Git sync the changes over to the Non-Prod/Secondary SH? If there is an article or an app that gracefully syncs all knowledge objects between search heads, then that would be ideal for me to check out.

Sorry, I'm new to Git and came from a world where rsync was the answer to replicating KO's between search heads for DR purposes.

0 Karma
Reply
Solved! Jump to solution

adnankhan5133
Communicator
‎07-03-2020 03:02 PM

Agreed - Git or Ansible is definitely the way to go. I consulted with several others and that appears to be the best path forward.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...