Re: Splunk cluster without license master and ind...

samaikins · ‎01-16-2018

HI
is it possible to build a Splunk cluster without a license master and index data replication??

Thanks in advance for the answer

harsmarvania57 · ‎01-16-2018

Hi @samaikins,

Yes you can create Indexer cluster without data replication, just set RF and SF to 1 on CM when you build Indexer Cluster and Cluster will not replicate data from one indexer to another indexer.

Reg. License master, I am bit unclear about your requirement. Can you please explain in more about license master question. General info about LM, License master is require to use same license on different servers in Cluster.

I hope this helps.

Thanks,
Harshil

nickhills · ‎01-16-2018

You can't create a cluster without an enterprise license, and if your going to turn off replication, I question what value running a cluster even brings - additionally I am not even sure running RF at 1 is even supported?

If my comment helps, please give it a thumbs up!

harsmarvania57 · ‎01-16-2018

RF and SF 1 is supported and I have tested this. 🙂

nickhills · ‎01-16-2018

Don't confuse 'supported' with 'it works' - Whilst you may be able to configure low RFs, if you ever have a problem with the cluster, and need assistance from the vendor, unless the configuration is 'supported' you will be on your own (or paying PS).

I have has a look on the documentation site, and I can only find requirements stating that the minimum SF would be 2 (which implies an RF>2) . Unless you have a link to documentation I have not found, or confirmation in writing from Splunk that rf1 would be endorsed and 'supported' I would consider it a very bad idea.

If my comment helps, please give it a thumbs up!

harsmarvania57 · ‎01-16-2018

In that case, you need to contact Splunk support whether it's supported or not. As you can specify those configuration to 1, it should supported otherwise while setting those parameter to 1, splunk should throw WARNING or ERROR message that it is not supported (This is my opinion only)

nickhills · ‎01-16-2018

No. And Yes.

In order to enable clustering an enterprise licence is required.
When you install Splunk by default it is running with a 60 day enterprise trial licence which will allow you to build a cluster, configure replication, and prove your environment is working correctly.

At this point you have not designated any host as a License master (as they are all running with the local trial lic)
(this is the 'yes' part of the answer)

However - to move this into production (or past the initial 60 days) you will need to install a full Enterprise Licence.
The licensing model for Splunk designates a single host on your network as the licence master. All other hosts connect to it as slaves and retrieve and validate your licence entitlements. By definition you need a licence master to facilitate this.
(so this is the 'no')

There are a few caveats and work-arounds (none of which would be considered Splunk supported but may work, albeit with complications down the line).

1.) make one of your cluster members the licence master, and other members slaves. Nothing will prevent you from doing this, but it is not a recommended approach. It also adds some complexity, and builds a dependency into your environment.
2.) split your licence into pools, and assign local pools to each indexer. This is a bad idea, because each indexer may consume different amounts of licence, and as well as not being supported, and feels like a very bad approach.

If my comment helps, please give it a thumbs up!

Splunk cluster without license master and index data replication

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM