Deployment Architecture

Take down a site temporarily in a Multisite Cluster

Path Finder

We have a 2 site  multisite cluster with the following cluster configuration.

The cluster contains 30 indexers total, 15 at each site. There is over a petabyte of data stored across the two sites.



cluster_label = StarfishCluster
mode = master
multisite = true
replication_factor = 2
search_factor = 2
available_sites = site1,site2
site_replication_factor = origin:1,site1:1,site2:1,total:2
site_search_factor = origin:1,site1:1,site2:1,total:2




We may have to move the servers that are in site 1 from one datacenter to another data center. The data center is several hundred miles away so these servers will be offline for over a week. How can we safely take down a site, then re-enable that site at a later time without losing data or having Splunk encounter issues with ingest. As a test we have put the cluster in maintenance mode then taken down all of the hosts within a single site but Splunk stopped indexing data in the other site which remained online. We also experienced an increase in resources which was expected.

Is there documentation available on exactly how to safely take down a site without impacting indexing and search availability?

Labels (2)
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...