Deployment Architecture

Single Site or Multi Site Indexer Clustering

hectorvp
Communicator

Hi Splunkers,

We have servers running on 2 different on premises Data Centre.

We are planning Splunk deployment architecture to fetch the events from server.

We are planning to have 1 indexer at each Data Centre and making a clustering of this 2 indexers.

Reason for clustering is suppose 1 indexer goes down then the other one can keep on fetching events from the servers of other DC with no downtime with these aspects.

And clustering will also help us to use 1 search head for both DCs as we dont have many users for monitoring.

Both Data centres are connected to each other with some dedicated LAN channels....

Both indexers would be under same virtual network.

Will this be as simple as single site cluster??? If I configure them as single site cluster would there be any architectural issues or I'm going in right way?

Or will their be a concept multi site needs to be implemented?

 

 

 

1 Solution

richgalloway
SplunkTrust
SplunkTrust

First, clustering is not necessary for a single SH to search multiple indexers.

When sizing your 2 indexers, make each capable of handling 100% of the ingestion and search load.  There's no point in having redundancy if the backup fails under the full load.

Go with a multi-site cluster, even if you decide to treat both DCs as a single site.  The multi-site configuration will make it easier to switch to a true multi-site operation later.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Yes, you'll likely want a replication factor of 2.

400GB per day is a little high for 2 indexers, but may be tough for a single indexer to handle should one of them fail.  A lot depends on the complexity of work being done on the data as well as how many searches it's processing.

---
If this reply helps you, Karma would be appreciated.

hectorvp
Communicator

Thanks @richgalloway 

Yes, these are other complexities as well as we are going to route these events to other third party indexers

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, clustering is not necessary for a single SH to search multiple indexers.

When sizing your 2 indexers, make each capable of handling 100% of the ingestion and search load.  There's no point in having redundancy if the backup fails under the full load.

Go with a multi-site cluster, even if you decide to treat both DCs as a single site.  The multi-site configuration will make it easier to switch to a true multi-site operation later.

---
If this reply helps you, Karma would be appreciated.

hectorvp
Communicator

Thanks @richgalloway ,

So we would opt for multi site configuration.

Where 1 DC will contain 1 indexer and master node and other DC will contain another 1 indexer.

Well when each indexer should be capable of 100% ingestion means we need to size its disk space to capable of storing all events.Along with other specs recommended by Splunk.

And having replication factor to 2, did I understood this in a right way?

Currently we have estimated that total events generated by DCs would be around 400GB per day.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...