If a peer goes down in an indexer cluster, how doe...

splunkn · ‎06-06-2016

Little confused in Indexer Clustering. I have 3 peers with One master and One Search Head. Replication Factor is 3 and Search Factor is 2. If one of the indexers goes down, Master can manage with 2 searchable copies by moving the primacy and convert non-searchable into searchable. Search Factor is good, but in this case, my rep factor is 3 and number of peers also 3. If one of the peers goes down, RF could not be met and this cluster is valid, but incomplete. Two questions here:

If new data comes, how does it get replicated? Is it going to store only two copies of data in available indexers (one original + one replicated)?
What happen if my downed peer came back after one week? Whether the new data captured during last week is going to get copied in this peer?

Thanks in advance

jmallorquin · ‎06-06-2016

Hi,

For replication factor 3 you need 3 peers, in this case if your peers goes down the replication factor is not meet until you add other indexer, but your search factor will be meet after the fix process.

When your down peer goes up the master will rebuild the cluster make all the copies needed and yes after the rebuild all your peers will have a copy of the indexed data doesn't matter the time was down the indexer.

Hope i help you

If a peer goes down in an indexer cluster, how does new indexed data get replicated, and what happens when the peer comes back up later?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?