Solved: Multiple indexer clusters environment

omerl · ‎05-26-2018

Hey,
I am thinking of having 2 indexer clusters in my environment:
1. “Raw data” cluster, which receives data from windows event forwarders & other “external” connectors.
2. Summary cluster, which receives data from search heads, after those summarized it and took out only part of the “raw data” from cluster 1.

I was wondered whether this is the best solution to my problem, as I want to summarize the data to keep it searchable, which is not possible with the amounts of raw data I have, but still let the users use the “raw data” on real time, so both clusters are needed to be searched.

Is separating the clusters a good idea? Maybe it would be better to use 1 cluster for both purposes, using the same hardware?

Thanks!

xpac · ‎05-27-2018

So far, I don't see a good reason for separating those indexers.
They can share the load more evenly when sharing all work, so I'd keep them all together.

Hope that helps.

View solution in original post

xpac · ‎05-27-2018

So far, I don't see a good reason for separating those indexers.
They can share the load more evenly when sharing all work, so I'd keep them all together.

Hope that helps.

Multiple indexer clusters environment

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...