Deployment Architecture

Location and site definition in Indexer Cluster

Communicator

Hi,

I am trying to setup new Indexer Clusters which must comply to different regulators.
There are three different locations (EMEA, ASIA, US). Each location has two sites.
What I would like to do is having replication within location, not accros location.

The setup in the config would look like:

site_replication_factor = origin:1, emea(site1:1, site2:1), asia(site3:1, site4:1), us(site5:1, site6:1), total:2

Does anyone know a way to manage that with a single indexer cluster master instead of having a master for every location ?

Thanks for your help.

1 Solution

Ultra Champion

The Splunk architecture does not really address this need as it stands today.

A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).

I think the concise answer to your question is that this can't presently address your needs.

The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads

View solution in original post

Ultra Champion

The Splunk architecture does not really address this need as it stands today.

A 'Cluster' while can have multiple sites, is still one cluster, and therefore data from any site will "likely" exist in more than 1 site.
(You can't force site separation, but you can suggest Splunk arranges your replicas like this - however if you have a failure of any peer, Splunk will take any action it can to restore the rep & search factors which will inevitably mean more replicated data across multiple sites).

I think the concise answer to your question is that this can't presently address your needs.

The alternative is separate clusters per regulated zone, but this does mean separate masters - and depending on the regulations you are working towards - possibly separate search heads

View solution in original post

Communicator

Thanks for your inputs. Regarding peer failure it's why I wanted to have data replicated between two sites in the same location (meaning two different data center). But my assumption was like you mentioned, Splunk Archi is not done for that purpose.
Regarding SH, I think I am good as even if I use different Indexer master per location, I should be able to only use a single SHC which has access to all indexers across all locations.

0 Karma