Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regarding Setting up the Multisite Indexer Cluster

dhana22
Explorer
‎11-16-2023 08:31 AM

Hello All, 

I am setting up a multisite indexer cluster with cluster manager redundancy, 

I am setting up 2 clustermanager (site1 and site2)

Below is the config e.g.

[clustering]
mode = manager
manager_switchover_mode = auto
manager_uri = clustermanager:cm1,clustermanager:cm2
pass4SymmKey = changeme

[clustermanager:cm1]
manager_uri = https://10.16.88.3:8089

[clustermanager:cm2]
manager_uri = https://10.16.88.4:8089

My question is, I have 2 indexers on each site, should I give the manager_uri in the peer (indexer) of site1 to point to cm1 and manager_uri in the peer (indexer) of site2 to  point to cm2. or all should point to the same indexer?

indexer 1 / indexer 2 - 

manager_uri = https://10.16.88.3:8089

indexer 3 / indexer 4 - 

manager_uri = https://10.16.88.4:8089

 

Also in the SearhHeads what should I define for the manager_uri? please advice.

 

Thanks,

Dhana

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2023 11:29 PM

Hi @dhana22 ,

in the multisite Indexer Cluster architecture, there's only one Cluster Manager not two, if you have two Cluster Manager you have two clusters.

You can eventually have, in the secondary site, a turned off copy of the Cluster Manager but anyway the active CM is only one.

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Basicclusterarchitecture 

Ciao.

Giuseppe

Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-24-2023 07:03 AM

Hi

Since 9.x there have been a feature "redundancy cluster master" https://docs.splunk.com/Documentation/Splunk/latest/Indexer/CMredundancy.

That doc's and what @gcusello pointed here don't said that this didn't work also for multisite clusters! Actually the first doc said that his can do also with multisite cluster. There are some new issues which you must take care of e.g. LB configuration, but this should be doable. There seems to be some differences between those docs and https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Managersitefailure, so doc feed back is needed (sent).

r. Ismo

 

0 Karma
Reply

_JP
Contributor
‎11-16-2023 08:43 AM

When doing a high-availability with multiple cluster managers (CM), you should have a load balancer (LB) in front of them.  The manager_ui configuration then points to the LB - not an individual CM.  The CM's will keep their bundles in sync, and the LB will help ensure that your indexers always reach a "good" one that is up.

 

Here's the docs that explain how to put an LB in front of the CMs in this scenario.

Reply

dhana22
Explorer
‎11-21-2023 03:52 PM

Thanks a lot, will try to configure with the LB and test it out, so the forwarders also will be sending data to the LB URL? 

Dhana

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...