Deployment Architecture

Regarding Setting up the Multisite Indexer Cluster

dhana22
Explorer

Hello All, 

I am setting up a multisite indexer cluster with cluster manager redundancy, 

I am setting up 2 clustermanager (site1 and site2)

Below is the config e.g.

[clustering]
mode = manager
manager_switchover_mode = auto
manager_uri = clustermanager:cm1,clustermanager:cm2
pass4SymmKey = changeme

[clustermanager:cm1]
manager_uri = https://10.16.88.3:8089

[clustermanager:cm2]
manager_uri = https://10.16.88.4:8089

My question is, I have 2 indexers on each site, should I give the manager_uri in the peer (indexer) of site1 to point to cm1 and manager_uri in the peer (indexer) of site2 to  point to cm2. or all should point to the same indexer?

indexer 1 / indexer 2 - 

manager_uri = https://10.16.88.3:8089

indexer 3 / indexer 4 - 

manager_uri = https://10.16.88.4:8089

 

Also in the SearhHeads what should I define for the manager_uri? please advice.

 

Thanks,

Dhana

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dhana22 ,

in the multisite Indexer Cluster architecture, there's only one Cluster Manager not two, if you have two Cluster Manager you have two clusters.

You can eventually have, in the secondary site, a turned off copy of the Cluster Manager but anyway the active CM is only one.

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Basicclusterarchitecture 

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Hi

Since 9.x there have been a feature "redundancy cluster master" https://docs.splunk.com/Documentation/Splunk/latest/Indexer/CMredundancy.

That doc's and what @gcusello pointed here don't said that this didn't work also for multisite clusters! Actually the first doc said that his can do also with multisite cluster. There are some new issues which you must take care of e.g. LB configuration, but this should be doable. There seems to be some differences between those docs and https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Managersitefailure, so doc feed back is needed (sent).

r. Ismo

 

0 Karma

_JP
Contributor

When doing a high-availability with multiple cluster managers (CM), you should have a load balancer (LB) in front of them.  The manager_ui configuration then points to the LB - not an individual CM.  The CM's will keep their bundles in sync, and the LB will help ensure that your indexers always reach a "good" one that is up.

 

Here's the docs that explain how to put an LB in front of the CMs in this scenario.

dhana22
Explorer

Thanks a lot, will try to configure with the LB and test it out, so the forwarders also will be sending data to the LB URL? 

Dhana

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...