Deployment Architecture

What to do with old splunk server?

tcary99
New Member

We have a single Splunk Enterprise server deployment. Recently, we migrated it to newer hardware (SSD drives, etc). The old machine is still a decent piece of equipment, just has less disk space. I've been reading about clustering, or adding an indexer. Would like to make use of the old machine for additional index storage and search, but it seems not worth doing a cluster with only two machines. Also, if I just added an indexer role, I have concerns about re-pointing forwarders there, etc. Any ideas? Anyone else been through something similar, where your older machine had not been "stolen" away and you can make use of it? Thanks in advance!

0 Karma

johnvr
Path Finder

This'll vary greatly depending on your needs, your users, and your environment (especially in comparison to your volume).

First, you can't cluster two indexers without adding a third appliance, a Cluster Master, but you can still employ it as a search peer -
non-clustered indexer - to balance the load.

A couple other ideas...

  • Offload smaller roles, like License Manager or Deployment Server, onto it.
  • Create a dedicated DMC
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...