- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, we are decomisioning our splunk infra, our company was purchased and the new management want to free resources :(.
We have 3 search heads (stand alone) + 2 indexers (clustered).
They ask me to break the indexer cluster to free storage, cpu and mem, i've found docs about removing nodes but keeping the cluster. We want to keep just one search head (the one with license master) and one indexer.
Is there documentation to "break" the cluster and keep just one indexer in stand alone mode? (we need to keep info for "auditing reasons").
I know i can just put one in maintenance mode and power off but this procedure is intended to reboot/replace in some time the "faulty" indexer, not to keep it down for ever and ever.
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A simple way to do it is to remove one indexer from the cluster and run the cluster with a single indexer. You still will need a CM, but you will save storage and 3 servers (2 SH and 1 Idx).
Use the offline command to take down one indexer (maintenance mode not needed) and the CM will ensure all data exists on the remaining indexer (which it should already).
splunk offline --enforce-countsIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node.
I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missing node in the cluster but the searches will be performed only for historical reasons.
Thank you again!
This is a really good community, and Splunk is really an excellent product, im really sad that i had to let this go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change RF/SF to 1 and the CM will not complain about missing nodes.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've never done this myself (usually you grow from a stand-alone instance to clustered environment) but there is no real reason why one of your indexers shouldn't work as a stand-alone machine. Of course you know how to remove one indexer from the cluster (I hope you don't have rf=sf=1). If you have rf=2, sf=1 and relatively symmetrical primaries distribution, you might need extra storage since Splunk will have to rebuild index files from raw data on the remaining indexer. If you have rf=sf=2, you'll just get one indexer down and that's it.
One caveat - since your rf/sf will not be met with just one indexer, your cluster will be searchable but not complete since you'll always be missing the other indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A simple way to do it is to remove one indexer from the cluster and run the cluster with a single indexer. You still will need a CM, but you will save storage and 3 servers (2 SH and 1 Idx).
Use the offline command to take down one indexer (maintenance mode not needed) and the CM will ensure all data exists on the remaining indexer (which it should already).
splunk offline --enforce-countsIf this reply helps you, Karma would be appreciated.
