Deployment Architecture

Indexer Clustering

Path Finder

I have a small all in one Splunk environment.
I want to enable indexer clustering.

Is it possible to make my current indexer as Master and add one other server as a peer just for indexer clustering?

What happens if the all in one instance failed? Let's say hardware failure.
Can I then bring up a new Search Head and connect it to the peer indexer and mark that peer indexer as a master? Or can I install the Search Head on the peer and make that node a single all in one instance?

Thanks,
Arsalan

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The master node must be a separate Splunk Enterprise instance from any of the peer nodes. It cannot also function as a peer node. For that reason, you probably would not find it useful to convert your current indexer to a master node. In addition, you need a separate instance to serve as the search head.

Before proceeding, read, at a minimum, these two sections concerning Splunk Enterprise requirements for an indexer cluster:

There's also a topic, which seems relevant to your situation, on how to stand up an indexer cluster for the use case where the concern is just scaling the indexing capability rather than also maintaining high availability: https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Clustersinscaledoutdeployments

View solution in original post

Path Finder

Thank you so much guys for a quick answer.
I'm reviewing the documents but like I said I want to use Splunk only for a small segment of the infrastructure and I want to have some sort of redundancy if something happens to the primary. Something like an active/standby mode.

If I'm not mistaking, by using Splunk terms, I want to have a replication factor of 1.

If I bring up two instances, with the same hardware configuration then I'll have 1 search head and one indexer ( primary) and then One indexer and one search head ( let's call it replica).

Now, Can I enable indexer clustering? or when I enable indexer clustering the primary won't do any indexing and will just manage the peers?
If the primary won't index then I have to have two more indexers in order to have a replication factor of 1?
so in total 3 servers?

0 Karma

Splunk Employee
Splunk Employee

A replication factor of 1 means that you will have just one copy of your data, the same as you would have if you were employing a non-clustered indexer. In order to replicate the data and achieve some measure of high availability, you need a replication factor of at least 2.

Assuming that you do want two copies of your data, set the replication factor to 2. However, you then need at least two peer nodes. You also need one master node and one search head. In total, you need four Splunk Enterprise instances to deploy such a scenario.

0 Karma

Splunk Employee
Splunk Employee

The master node must be a separate Splunk Enterprise instance from any of the peer nodes. It cannot also function as a peer node. For that reason, you probably would not find it useful to convert your current indexer to a master node. In addition, you need a separate instance to serve as the search head.

Before proceeding, read, at a minimum, these two sections concerning Splunk Enterprise requirements for an indexer cluster:

There's also a topic, which seems relevant to your situation, on how to stand up an indexer cluster for the use case where the concern is just scaling the indexing capability rather than also maintaining high availability: https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Clustersinscaledoutdeployments

View solution in original post

SplunkTrust
SplunkTrust

One thing you may want to do is familiarize yourself with how Indexer Clustering works and what benefits you get from it:

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Aboutclusters

It is not ideal to have a management server (in this case, the Master Cluster Node) act with any other function. You typically want to reserve that machine only for the management functionality. I would stress this even more with the Master Cluster Node because of the amount of active work it does with bucket replication and such.

Ideally you would have one Master Node with Indexer Discovery enabled and a replication/search factor that fits your need. You would then just tell your search head to ask the Master Nodes which indexers are part of the cluster that it can search. This has the great benefit of making your indexer cluster more dynamic. This allows for you to add/remove indexers if the need arises without needing to tell the Search Head where it needs to search.

Here is what a single site cluster looks like:

alt text

To answer your question, I would caution against what you are trying to do and look at deploying it as described in the documentation and topology. What I recommend is maybe separating out your Search Head and Indexer functions first into a distributed search environment, and then move into clustering.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!