Environment with:
- 6 sites
- 4 sites with peer nodes
- 2 sites, 'alpha' and 'bravo' with only search heads
Is it possible to restrict index replication from occurring at sites 'alpha' and 'bravo'?
-OR-
Will this restriction occur automatically, due to sites 'alpha' and 'bravo' not having any peer nodes?
that will be fine, as long as your site_replication_factor/site_search_factor allow for it. (if you have something like origin:1, total:6, we'll try to put 1 copy in each site, which then no longer meets RF/SF since theres no peers on Alpha/Bravo. So, origin:1, total:4 would be okay, as would origin:2,total:3)
make sure to call ./splunk set indexing-ready on the Cluster Master everytime it restarts, otherwise it'll be waiting for peers from Alpha/Bravo to join before it starts scheduling cluster activities.
You don't even need to tell Splunk that sites Alpha and Bravo exist. You can have every server at one physical site or servers across 20 physical sites - it makes no difference. You get to define the sites, and assign servers to sites, using any scheme that you want in Splunk clustering.
In a cluster, every indexer must have a site specified so that it can replicate properly. This has to be right and affects the setting of site_replication_factor/site_search_factor (eg. origin:1, total:4). There should be no "site" with no indexers assigned. In other words, every site should have at least one indexer assigned to it.
Every search head must have a site specified for the purpose of "search affinity." This allows the cluster master to direct the search head to the most appropriate indexers for searching. The specification of search head site has nothing to do with replication.
Since you don't actually have indexers at sites Alpha and Bravo, I would specifically:
This solution does not require set indexing-ready
on the cluster master (although that's not a bad practice anyway).
It also allows you to pick the optimum site for search heads to search.
It is less of a hack and better aligned with the way indexer clustering works in Splunk.
that will be fine, as long as your site_replication_factor/site_search_factor allow for it. (if you have something like origin:1, total:6, we'll try to put 1 copy in each site, which then no longer meets RF/SF since theres no peers on Alpha/Bravo. So, origin:1, total:4 would be okay, as would origin:2,total:3)
make sure to call ./splunk set indexing-ready on the Cluster Master everytime it restarts, otherwise it'll be waiting for peers from Alpha/Bravo to join before it starts scheduling cluster activities.