Deployment Architecture

Migrate Indexer Cluster to stand alone indexer

dieguiariel
Path Finder

Hi, we are decomisioning our splunk infra, our company was purchased and the new management want to free resources :(.

We have 3 search heads (stand alone) + 2 indexers (clustered).

They ask me to break the indexer cluster to free storage, cpu and mem, i've found docs about removing nodes but keeping the cluster.  We want to keep just one search head (the one with license master) and one indexer. 

Is there documentation to "break" the cluster and keep just one indexer in stand alone mode? (we need to keep info for "auditing reasons"). 

I know i can just put one in maintenance mode and power off but this procedure is intended to reboot/replace in some time the "faulty" indexer, not to keep it down for ever and ever. 

Regards.

 

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

A simple way to do it is to remove one indexer from the cluster and run the cluster with a single indexer.  You still will need a CM, but you will save storage and 3 servers (2 SH and 1 Idx).

Use the offline command to take down one indexer (maintenance mode not needed) and the CM will ensure all data exists on the remaining indexer (which it should already).

splunk offline --enforce-counts
---
If this reply helps you, Karma would be appreciated.

View solution in original post

dieguiariel
Path Finder

Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node. 

I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missing node in the cluster but the searches will be performed only for historical reasons.

Thank you again!

This is a really good community, and Splunk is really an excellent product, im really sad that i had to let this go. 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Change RF/SF to 1 and the CM will not complain about missing nodes.

---
If this reply helps you, Karma would be appreciated.

PickleRick
SplunkTrust
SplunkTrust

I've never done this myself (usually you grow from a stand-alone instance to clustered environment) but there is no real reason why one of your indexers shouldn't work as a stand-alone machine. Of course you know how to remove one indexer from the cluster (I hope you don't have rf=sf=1). If you have rf=2, sf=1 and relatively symmetrical primaries distribution, you might  need extra storage since Splunk will have to rebuild index files from raw data on the remaining indexer. If you have rf=sf=2, you'll just get one indexer down and that's it.

One caveat - since your rf/sf will not be met with just one indexer, your cluster will be searchable but not complete since you'll always be missing the other indexer.

richgalloway
SplunkTrust
SplunkTrust

A simple way to do it is to remove one indexer from the cluster and run the cluster with a single indexer.  You still will need a CM, but you will save storage and 3 servers (2 SH and 1 Idx).

Use the offline command to take down one indexer (maintenance mode not needed) and the CM will ensure all data exists on the remaining indexer (which it should already).

splunk offline --enforce-counts
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...