I'm designing a new Splunk solution based on Search head clustering on top of a multi site indexing cluster. (a small cluster that can grow)
Three search heads (search head cluster), four indexers, two sites. (2 site cluster)
Main data center : Two search heads and two indexers.
Remote data center : One search head and two indexers.
Master node and deployer is located on a VM in main site (can be moved to other site)
Search head config:
replication_factor=3 (all search heads should have complete set)
Index cluster config on master node.
mode = master
site_replication_factor = origin:1,total:2 (Only one complete copy per data center)
site_search_factor = origin:1,total:2
Q1: Will this work, and is this a good idea? 😉
Q2: If main data center fails, will data still be searchable on remote site even if this search head can't be elected captain?
Q3: If this doesn't work, What must be done to the remote site to make it operational?