Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Upgrade disk in Cluster

jmsiegma
Path Finder
‎06-02-2014 08:38 AM

I have 4 indexers in a cluster, that I need to upgrade the disk to gain more storage.

  • All systems are Linux
  • Each server in the cluster has an /app mount for splunk (/app/splunk/...)
  • Each /app mount is 6TB of space with 4TB usable as RAID 6

I need to pull the existing drives, and replace them with larger drives to get more storage. The question is around what the best process is for the migration strategy:

Option 1) Back up the existing 4TB of data, Pull the existing disks, Replace with new larger disks, Rebuild the array on the new disks (16TB), Restore the files back to the new array, Let cluster re-sync, Repeat process for the other 3 servers.

Option 2) Pull the 4TB Raid Array, Install the new drives and configure RAID 16TB, and let the cluster rebuild what is missing, Once all the systems are Synced, Repeat process for other 3 servers.

The real question is, If you were to loose a whole server in an Index Cluster (On accident or on Purpose), would you loose 1/4 of the of the data, or would it get re-created once you rebuild the servers let the servers replicate things. This is making the assumption that we do NOT have a backup.

I ask the question, because I know in a cluster, some of the buckets get marked as Primary, and Secondary bucket.

Thanks

0 Karma
Reply

mahamed_splunk
Splunk Employee
Splunk Employee
‎06-02-2014 02:57 PM

The real question is, If you were to loose a whole server in an Index Cluster (On accident or on Purpose), would you loose 1/4 of the of the data,

This depends on your replication settings. If you have 2 copies of the data (replication_factor=2), then you will still have one copy in the system even after taking down one of the peers.

0 Karma
Reply

mahamed_splunk
Splunk Employee
Splunk Employee
‎06-03-2014 02:36 PM

Yes, it will replicate the data to 4th indexers whenever it joins the cluster.

0 Karma
Reply

jmsiegma
Path Finder
‎06-03-2014 12:18 PM

I have a replication_factor=4 in my 4 Indexer set. So if I removed the existing drives from the system, and replaced it with completely new drives and RAID set, I could then re-install splunk, and join the indexer to the cluster, and it would replicate 100% of the data to this new 4th instance. correct?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...