Deployment Architecture

Multisite Cluster Configuration

Roger_FB
Explorer

Hello,
I have the following question:
I would like to set up a multisite cluster with the following structure:

---------

Site 01:
Node01
Index A

Site 02:
Node02
Index B
Index C

Node03
Index D

SearchHead:
Only via Node02 and Node03

Replication:
Index A and B on Node01, Node02, Node03
Index C and D only on Node02 and Node03

Only the replications should be exchanged between Site 01 and Site 02 (no distributed search)

----------------

Is this possible and what do the configs look like (server.conf, indexes.conf etc)?

 

Have a great day and thank you very much

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

No. You cannot define (site) replication/search factors on a per-index level. You can set an index to being non-replicated but cannot go beyond that.

You set (site)SF/RFs at the server level and only define whether the index is replicated at index level.

So to have a setup with some indexes being replicated between sites and some not you'd need to have separate clusters (I'm not sure however how you go about site-affinity for search-heads when you're connecting to multiple clusters - never tried that).

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

No. You cannot define (site) replication/search factors on a per-index level. You can set an index to being non-replicated but cannot go beyond that.

You set (site)SF/RFs at the server level and only define whether the index is replicated at index level.

So to have a setup with some indexes being replicated between sites and some not you'd need to have separate clusters (I'm not sure however how you go about site-affinity for search-heads when you're connecting to multiple clusters - never tried that).

gcusello
SplunkTrust
SplunkTrust

Hi @Roger_FB ,

at first, this question isn't for the Community but youshould engage a Splunk Architect or a Splunk PS.

Anyway, let me understand:

  • you have one Indexer on Site1 and two in Site2
  • indexes on Site2 must be replicated only on Indexers in Site2, instead Indexes in Site1 must be replicated also in Site2.

I'm not sure that's possible to have Indexes not replicated in both the Sites.

Ciao.

Giuseppe

0 Karma

Roger_FB
Explorer

Hi Guiseppe,
thanks you for your answer.

 


Anyway, let me understand:

  • you have one Indexer on Site1 and two in Site2
  • indexes on Site2 must be replicated only on Indexers in Site2, instead Indexes in Site1 must be replicated also in Site2.

Yes, that is correct.

Greetings

Roger

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Roger_FB ,

as me and @PickleRick said, you cannot configure different replication and search factors for each index, but only one for the entire cluster.

You can only define that there are not replicated indexes.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...