Deployment Architecture

Is backing up data necessary in an indexer cluster?

FoolMoon
Engager

Since in an indexer cluster the data is replicated to other indexers, is backing up the data to somewhere else strictly necessary? I'm already backing up the configuration data in $SPLUNK_HOME/etc/ daily, but not sure if I should also implement indexed data backups, because to me it seems that the replication could be enough. And a complete failure of the cluster doesn't seem likely since it's hosted in AWS (famous last words, I know). The section on backing up indexed data in docs isn't conclusive either.

Any thoughts and experiences with this?

0 Karma

FrankVl
Ultra Champion

Depends on the recovery requirements you have and the amount of risk you're willing to accept I guess.

Replication covers several data loss risks, but not all. As you already mentioned: loss of multiple indexers (or underlying AWS infrastructure) (beyond your replication factor) can still lead to data loss, as can logical corruption / deletion or so due to some Splunk bug / mistake by an admin (or a malicious act).

In the end it should be a balance between the cost of a full backup, vs. the risk (likelihood * impact) of data loss. And that is a decision only you can make. If you just use splunk to monitor some IT systems, the situation is very different from when you use it to make critical business decisions, or store security/compliance logs that you are obligated by regulations to keep for x amount of time.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...