I have an instance with indexer and Search head in the same instance.
I was asked to create a cluster of indexers formed by the indexer I already have (replicating its data) and a new Indexer:
Thank you very much.
Ans 1. You would need a separate VM for search head instance and a cluster master instance. See this for more details on machine requirement for indexer cluster. http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Systemrequirements#Machine_requirements
1: Probably but NOBODY does this. If you "need" to cluster, then you need Indexer capacity of some sort. Your Indexer tier's collective quality/response is only as good as your WORST single Indexer. You are guaranteeing that you will always have 1 Indexer (your Search Head + Indexer combo) that is worse than all the others.
2: It is possible but not officially supported. The bucket format for clustered indexers is different than for non-clustered. But they can co-habitate fine (it is just that the older format will NEVER replicate; eventually it will age out and nobody will care/notice).
3: No. #1 is unwise and nobody does it (so why would anybody document it). #2 is documented as "unsupported" but unofficially Splunk will do it for "important clients" and some of us will do it if you are willing to take the risk (we ninjas like to live dangerously).
Thank you very much for your response.
I will not migrate the old data. It's the customer decision.
What would be better from the following?:
To keep that indexer for the old data only and create a cluster with 2 new indexers? (Is this possible?)
In this case I would have the SH consuming from one cluster (with 2 members) and a separate indexer.
Include this indexer as one of the members of the cluster and create a new indexer as the second member? (Is this possible?)
In this case the SH will be consuming only from the cluster (with 2 members).