Deployment Architecture

Multi site cluster (3 sites) with a site separated from the other ones


please I would like to know if the following one is a possible/valid Splunk architecture.

Multiste cluster, with sites A, B and C. 200 Forwarders.

  • site A and B communicating each other and replicating data, receiving logs from forwarders 1 to 100.
  • site C receiving logs from forwarders 101 to 200 and replicating data only inside the site itself.

Thanks and best regards.

0 Karma

Path Finder

Not within the same cluster. You would need to split your sites into different clusters. A & B with one cluster master, and C with a separate cluster master.

You can still search both, as if they are 'all the same' from the search head perspective. Just add stanzas for both of the cluster masters in server.conf

mode = searchhead
master_uri = clustermaster:clusterAB, clustermaster:clusterC

master_uri =
multisite = true

master_uri =
multisite = true

I would suggest using multisite, even for the Site C Only cluster, in case you want to stand up additional sites for that cluster later, or want to merge them later (If don't want a bunch of standalone buckets to deal with in that situation).

In order to split those forwarders out to the various sites on the indexer side, you can use a deployment app for the UFs that includes an outputs.conf file which would have a different [tcpout] stanza between the two apps.

For example:

SiteAB_Outputs_app inputs.conf:


server= siteA_idx_1:8089,siteA_idx_2:8089,siteB_idx_3:8089,siteB_idx_4   (etc...)

SiteC_Outputs_app inputs.conf


server= siteC_idx_1:8089,siteC_idx_2:8089,siteC_idx_3:8089,siteC_idx_4   (etc...)


...etc... up through 100


...etc... up through 200


Or if you have some other way to identify those UFs in order to split them, like perhaps using a clientName value, or wildcarding the hostname, or by OS, etc, you could use that instead of the individual whitelist.# whitelisting. Or even use an 'external' whitelist file similar to this:

whitelist.from_pathname = /path/to/whitelists/filename.list


0 Karma


Why do that? Why not just use 2 indexer clusters?

If this reply helps you, Karma would be appreciated.

Revered Legend

Correct, there is no replication happening between site C and other two, so technically they're not clustered together anyways. Keeping two clusters (one multisite with A and B and other in C) will help you segregate the forwarders as well (you would be able to utilize Indexer Discovery feature).

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...