Solved: Multiple indexer clusters environment

omerl · ‎05-26-2018

Hey,
I am thinking of having 2 indexer clusters in my environment:
1. “Raw data” cluster, which receives data from windows event forwarders & other “external” connectors.
2. Summary cluster, which receives data from search heads, after those summarized it and took out only part of the “raw data” from cluster 1.

I was wondered whether this is the best solution to my problem, as I want to summarize the data to keep it searchable, which is not possible with the amounts of raw data I have, but still let the users use the “raw data” on real time, so both clusters are needed to be searched.

Is separating the clusters a good idea? Maybe it would be better to use 1 cluster for both purposes, using the same hardware?

Thanks!

xpac · ‎05-27-2018

So far, I don't see a good reason for separating those indexers.
They can share the load more evenly when sharing all work, so I'd keep them all together.

Hope that helps.

View solution in original post

xpac · ‎05-27-2018

So far, I don't see a good reason for separating those indexers.
They can share the load more evenly when sharing all work, so I'd keep them all together.

Hope that helps.

Multiple indexer clusters environment

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk