Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Location and site definition in Indexer Cluster

SirHill17
Communicator
‎01-09-2018 12:45 AM

Hi,

I am trying to setup new Indexer Clusters which must comply to different regulators.
There are three different locations (EMEA, ASIA, US). Each location has two sites.
What I would like to do is having replication within location, not accros location.

The setup in the config would look like:

site_replication_factor = origin:1, emea(site1:1, site2:1), asia(site3:1, site4:1), us(site5:1, site6:1), total:2

Does anyone know a way to manage that with a single indexer cluster master instead of having a master for every location ?

Thanks for your help.

Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-09-2018 01:45 AM

The Splunk architecture does not really address this need as it stands today.

A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).

I think the concise answer to your question is that this can't presently address your needs.

The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-09-2018 01:45 AM

The Splunk architecture does not really address this need as it stands today.

A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).

I think the concise answer to your question is that this can't presently address your needs.

The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

SirHill17
Communicator
‎01-09-2018 06:08 AM

Thanks for your inputs. Regarding peer failure it's why I wanted to have data replicated between two sites in the same location (meaning two different data center). But my assumption was like you mentioned, Splunk Archi is not done for that purpose.
Regarding SH, I think I am good as even if I use different Indexer master per location, I should be able to only use a single SHC which has access to all indexers across all locations.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...