Deployment Architecture
Highlighted

SPlunk Indexer clustering replication is Not working

New Member

We have 2 sites(site1,site2). Each site has 2 indexers each Site1(A,B) Site2(C,D) & 1 search Head each site.

Cluster Master server.conf is-
replicationfactor = 2
search
factor = 1
bucketstosummarize = primaries
summaryreplication = 0
rebalance
threshold = 0.900000
multisite = true
site = site1
availablesites = site1,site2
site
replicationfactor = origin:1, site1:2, site2:1, total:3
site
search_factor = origin:1, site1:1, site2:1, total:2

Replication factor and search factors were Met

After an incident, Site1 indexer A was down for an hour and we lost the data. As per the expectations, data should be coming via site1 indexer B. But it didn't

We made a small change in the server.conf but not sure, whether it shall do the job or not.
Current Cluster Master Server.conf-
replicationfactor = 2
search
factor = 1
bucketstosummarize = primaries
summaryreplication = 0
rebalance
threshold = 0.900000
multisite = true
site = site1
availablesites = site1,site2
site
replicationfactor = origin:2, total:3
site
search_factor = origin:1, total:2

Now, we still have to test it by brining Indexer A down. As of now, not sure if it's fixed.
Update- Earlier RF & SF used to be "MET" after
sitereplicationfactor = origin:2, total:3
sitesearchfactor = origin:1, total:2
RF is "NOT MET"

Let us know, what should be the right server.conf or any other missing configuration needed to ensure DR incase of 2 sites, 2 indexers each, 1 Search Head each site.

0 Karma
Highlighted

Re: SPlunk Indexer clustering replication is Not working

SplunkTrust
SplunkTrust

The setup looks fine. I believe what happened was forwarder stickiness instead.

Forwarders will stick to indexers unless you enable time based autolb function in outputs.conf. Google “splunk forwarder stickiness” for some articles on it.

0 Karma
Highlighted

Re: SPlunk Indexer clustering replication is Not working

SplunkTrust
SplunkTrust
0 Karma