Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Migrate Indexer Cluster to stand alone indexer

dieguiariel
Path Finder
‎09-18-2024 01:07 PM

Hi, we are decomisioning our splunk infra, our company was purchased and the new management want to free resources :(.

We have 3 search heads (stand alone) + 2 indexers (clustered).

They ask me to break the indexer cluster to free storage, cpu and mem, i've found docs about removing nodes but keeping the cluster.  We want to keep just one search head (the one with license master) and one indexer. 

Is there documentation to "break" the cluster and keep just one indexer in stand alone mode? (we need to keep info for "auditing reasons"). 

I know i can just put one in maintenance mode and power off but this procedure is intended to reboot/replace in some time the "faulty" indexer, not to keep it down for ever and ever. 

Regards.

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2024 01:33 PM

A simple way to do it is to remove one indexer from the cluster and run the cluster with a single indexer.  You still will need a CM, but you will save storage and 3 servers (2 SH and 1 Idx).

Use the offline command to take down one indexer (maintenance mode not needed) and the CM will ensure all data exists on the remaining indexer (which it should already).

splunk offline --enforce-counts
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

dieguiariel
Path Finder
‎09-19-2024 06:41 AM

Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node. 

I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missing node in the cluster but the searches will be performed only for historical reasons.

Thank you again!

This is a really good community, and Splunk is really an excellent product, im really sad that i had to let this go. 

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2024 01:04 PM

Change RF/SF to 1 and the CM will not complain about missing nodes.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-18-2024 03:27 PM

I've never done this myself (usually you grow from a stand-alone instance to clustered environment) but there is no real reason why one of your indexers shouldn't work as a stand-alone machine. Of course you know how to remove one indexer from the cluster (I hope you don't have rf=sf=1). If you have rf=2, sf=1 and relatively symmetrical primaries distribution, you might  need extra storage since Splunk will have to rebuild index files from raw data on the remaining indexer. If you have rf=sf=2, you'll just get one indexer down and that's it.

One caveat - since your rf/sf will not be met with just one indexer, your cluster will be searchable but not complete since you'll always be missing the other indexer.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2024 01:33 PM

A simple way to do it is to remove one indexer from the cluster and run the cluster with a single indexer.  You still will need a CM, but you will save storage and 3 servers (2 SH and 1 Idx).

Use the offline command to take down one indexer (maintenance mode not needed) and the CM will ensure all data exists on the remaining indexer (which it should already).

splunk offline --enforce-counts
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top