Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Indexer cluster from non clustered indexer

noybin
Communicator
‎07-05-2017 12:08 PM

Hello,

I have an instance with indexer and Search head in the same instance.

I was asked to create a cluster of indexers formed by the indexer I already have (replicating its data) and a new Indexer:

  1. Is it possible to keep the indexer and search head in the same instance or do I need to separate the indexer from the Search Head?
  2. Is it possible to replicate the historical data I have on the indexer into the new cluster member?
  3. Is there an offcicial procedure on how to achieve this?

Thank you very much.
Regards.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-05-2017 03:49 PM

1: Probably but NOBODY does this. If you "need" to cluster, then you need Indexer capacity of some sort. Your Indexer tier's collective quality/response is only as good as your WORST single Indexer. You are guaranteeing that you will always have 1 Indexer (your Search Head + Indexer combo) that is worse than all the others.

2: It is possible but not officially supported. The bucket format for clustered indexers is different than for non-clustered. But they can co-habitate fine (it is just that the older format will NEVER replicate; eventually it will age out and nobody will care/notice).

3: No. #1 is unwise and nobody does it (so why would anybody document it). #2 is documented as "unsupported" but unofficially Splunk will do it for "important clients" and some of us will do it if you are willing to take the risk (we ninjas like to live dangerously).

Reply

noybin
Communicator
‎07-26-2017 02:23 PM

Hi,

Thank you very much for your response.

I will not migrate the old data. It's the customer decision.

What would be better from the following?:

To keep that indexer for the old data only and create a cluster with 2 new indexers? (Is this possible?)
In this case I would have the SH consuming from one cluster (with 2 members) and a separate indexer.

or

Include this indexer as one of the members of the cluster and create a new indexer as the second member? (Is this possible?)
In this case the SH will be consuming only from the cluster (with 2 members).

Thank's again.
Regards.

0 Karma
Reply

somesoni2
Revered Legend
‎07-05-2017 12:26 PM

Ans 1. You would need a separate VM for search head instance and a cluster master instance. See this for more details on machine requirement for indexer cluster. http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Systemrequirements#Machine_requirements

And 2 and 3. See this http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Migratenon-clusteredindexerstoaclustereden...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...