Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Location and site definition in Indexer Cluste...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to setup new Indexer Clusters which must comply to different regulators.
There are three different locations (EMEA, ASIA, US). Each location has two sites.
What I would like to do is having replication within location, not accros location.
The setup in the config would look like:
site_replication_factor = origin:1, emea(site1:1, site2:1), asia(site3:1, site4:1), us(site5:1, site6:1), total:2
Does anyone know a way to manage that with a single indexer cluster master instead of having a master for every location ?
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunk architecture does not really address this need as it stands today.
A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).
I think the concise answer to your question is that this can't presently address your needs.
The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunk architecture does not really address this need as it stands today.
A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).
I think the concise answer to your question is that this can't presently address your needs.
The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your inputs. Regarding peer failure it's why I wanted to have data replicated between two sites in the same location (meaning two different data center). But my assumption was like you mentioned, Splunk Archi is not done for that purpose.
Regarding SH, I think I am good as even if I use different Indexer master per location, I should be able to only use a single SHC which has access to all indexers across all locations.
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
Data Persistence in the OpenTelemetry Collector
Thanks for the Memories! Splunk University, .conf25, and our Community
