Deployment Architecture

What would be the best site search factor & site replication factor for a 3-sites multisite clustering?

sushree1234
Explorer

Hi  All,

I am going to work on a multisite architecture (3-sites) where we are keeping 6 indexers in a cluster (2 in each sites) ,and 6 SHs in a cluster (2 in each sites) , 3 SHs in another cluster (1 in each site) for reporting . 

1 Indexer cluster
2 SHs clusters

i wanted to understand what will be the best site search factor & site replication factor for a 3-sites multisite clustering . Any suggestion will be appreciated . 
Thanks ,
Sushree 

Labels (1)
0 Karma

sushree1234
Explorer

we are making a multisite cluster for high availability . so for a 3 sites cluster what will be the best possible way of defining the site replication and site search factor .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The answer depends on what you consider "best".  What failures scenarios do you expect the cluster to survive?  Are the sites geographically dispersed?  Do you have fast pipes (more than one) connecting the sites?  Do you enough disk space to store multiple copies of your Splunk data?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sushree1234
Explorer

As you have asked - Are the sites geographically dispersed? - yes geographically it is . All 3 sites are placed in different location . Do you have fast pipes (more than one) connecting the sites? -yes we have .
Do you enough disk space to store multiple copies of your Splunk data?- yes we have kept enough space to keep multiple copies . 
 I just want a standard count for the site replication factor and search factor for a multisite cluster - having 3 sites available .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You continue to avoid the most important question: What does "best" mean to you?  It's a subjective term and what's best for one customer may not be best for you and is why we need more information before providing a specific answer.

There is no "standard" value for RF/SF.  The one to use is the smallest value that meets your needs - but you still haven't said what those needs are.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sushree1234
Explorer

 As i have mentioned before , it is geographically distributed in 3 different location , So the main agenda for this multisite clustering is no data loss and high availability . And we have assigned enough space to each instance to keep the backup as well . So could you please give your suggestion in this . 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

"no data loss" - under what circumstances?  Protecting against the loss of a single indexer may not protect against the loss of an entire site.

At a minimum, data should be kept on at least 2 sites using site_replication_factor = origin:1,total:2

For better search performance following an outage, keep at least 2 searchable copies of the data using site_search_factor = origin:1,total:2

---
If this reply helps you, Karma would be appreciated.
0 Karma

rite93
New Member

What would be splunk recommended standard for site search factor and site replication if the system needs to withstand major break down?

for this case 6 indexers are in three sites(2 in each site). Now two sites could be assumed to be down at peak at any point of time.

Similarly for search heads 2 clusters are there with three instances in each cluster.So the assumption should be for two sites to go down at peak at any point of time.

The standards needs to be known for a robust system.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since there is no such thing as a "standard" indexer multi-site cluster, there are no "standard" site search and replication factor settings.

See https://docs.splunk.com/Documentation/Splunk/8.2.5/Indexer/Sitereplicationfactor .

A search head cluster is different.  SHCs are not site-aware and are not HA.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please define "best" as it applies to your organization.  What requirements must be met?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...