Re: What is the procedure to remove a site from a ...

gavsdavs_GR · ‎02-11-2016

I have a 3 site, 6 peer (2 in each) environment which I want to reduce to a 2 site, 4 peer environment due to my company needing to exit a datacentre.

I know I'm going to need to update Site Replication Factor, Site Search Factor, and available_sites in server.conf on my cluster master, and also offline --enforce-counts on my peers, but I do not know the right order to do this.

Do I tell my Cluster Master I'm now running in 2 sites whilst leaving all peers up across 3 sites THEN run offline --enforce-counts on the exiting peers
- OR -
Do I run offline --enforce-counts on my exiting peers and then go and reduce my CMs sites afterwards?

I anticipate either
- the CM getting upset about failing to meet SSF/SRF if I exit the peers first, or
- the CM getting confused by additional, unexpected peers talking to it if i reduce the CM's notion of sites first.

What order is this done in?

Thanks muchly !

gavsdavs_GR · ‎02-15-2016

This cannot currently be done.
https://answers.splunk.com/answers/332839/multisite-indexer-clustering-can-a-site-be-decommi.html

javiergn · ‎02-15-2016

What are your SSF / SRF at the moment?
What sort of replication/resiliency are you planning to have in your 2-site deployment?

What is the procedure to remove a site from a 3 site indexer clustering environment?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann