Deployment Architecture

Location and site definition in Indexer Cluster

SirHill17
Communicator

Hi,

I am trying to setup new Indexer Clusters which must comply to different regulators.
There are three different locations (EMEA, ASIA, US). Each location has two sites.
What I would like to do is having replication within location, not accros location.

The setup in the config would look like:

site_replication_factor = origin:1, emea(site1:1, site2:1), asia(site3:1, site4:1), us(site5:1, site6:1), total:2

Does anyone know a way to manage that with a single indexer cluster master instead of having a master for every location ?

Thanks for your help.

1 Solution

nickhills
Ultra Champion

The Splunk architecture does not really address this need as it stands today.

A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).

I think the concise answer to your question is that this can't presently address your needs.

The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

The Splunk architecture does not really address this need as it stands today.

A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).

I think the concise answer to your question is that this can't presently address your needs.

The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads

If my comment helps, please give it a thumbs up!

SirHill17
Communicator

Thanks for your inputs. Regarding peer failure it's why I wanted to have data replicated between two sites in the same location (meaning two different data center). But my assumption was like you mentioned, Splunk Archi is not done for that purpose.
Regarding SH, I think I am good as even if I use different Indexer master per location, I should be able to only use a single SHC which has access to all indexers across all locations.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...