Deployment Architecture

Moving from a single indexer/search head to indexer clustering, does the master node have to be a separate server, or can I use the deployment server?

hagjos43
Contributor

Good morning.

We are (finally) looking to upgrade and add a second indexer in the mix. Our current setup is the following:
Searchhead x 1
Indexer x 1
Deployment Server x 1

We want to do single site indexer clustering with full redundancy between both indexers, as well as decreased search time (spreading a search across multiple indexers). From what I'm reading here we must identify a master node. My question is, does this have to be a separate server or can I use the deployment server as the master node? Are there any best practices, or additional guides anyone would advise using?

Many thanks
- Joe

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

You can use the deployment server for that, up to a certain indexed volume and number of indexers the master node does not require that many resources. See here for the official docs on that.

View solution in original post

srisahitya_v
Communicator

if you want to make indexer clustering, then set 3 indexes is a best practice. 2 search heads help to get rid of single-point fail over.
then you should have a master node.
you can use deployment server as master node.
please find the link below.

0 Karma

jeffland
SplunkTrust
SplunkTrust

You can use the deployment server for that, up to a certain indexed volume and number of indexers the master node does not require that many resources. See here for the official docs on that.

hagjos43
Contributor

I configured the master server and indexers with a replication factor of 2. The indexes did not replicate already indexed data. Is there a way to replicate previously indexed data, or is it ONLY data from the date replication is enabled and future data?

Thanks

0 Karma

jeffland
SplunkTrust
SplunkTrust

That is possible, but not recommended.

If your license allows and you really need the data clustered, you could also re-index it.

0 Karma

hagjos43
Contributor

so there is no automatic way to do this?

Here is our situation. We need to take down server 1 for maintenance and many other things (will be down for up to a week). We want a second indexer added (indexer clustering) so that during the downtime users can still search historical data. The new indexer will receive data during down time.

When the maintenance is complete we will bring the server (original indexer) back up and add it back to the mix. From that point forward we will have two indexers in a cluster.

FYI - The forwarders will be configured to send data to both indexers.

0 Karma

jeffland
SplunkTrust
SplunkTrust

In that case, you could simply move your already indexed data as it is to the new machine - but be careful to follow the instructions.

hagjos43
Contributor

If I want the indexes to be replicated from indexer1 to indexer2 should replication factor be set to 2?

within the master indexes.conf I have it set to:

[indexnamegoeshere]
repFactor=auto
0 Karma

jeffland
SplunkTrust
SplunkTrust

You set the replication factor when you set the cluster up. I would recommend you do it via the GUI if this you first time doing it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...