Each indexer has the same indexes.conf file except the cold path is different. Which is why I assumed (badly) the data was the exact same data on each indexer.

The indexers aren’t clustered because when I saw they were all peers I thought they were all getting the same data. Basically I’m new and misunderstood what a peer group was vs a clustered group. I did update the HF to include the 4th indexer. But I didn’t exclude the other 3 from the list.

No I take that back. I didn’t make any changes to the HF but to the outputs.conf file to include the new indexer.

Hi @TryingSplunk,

in addition you should check if you configured autoloadbalancing, in this case events are indexed once, otherwise data are indexed more times.

Then, are the first three indexed clustered or not?

Ciao.

Giuseppe

No the first 3 indexers are not clustered. They are in a peer group. Looking at the indexes.conf file the repfactor = auto but not on the main ones like _internal, _audit.

The forwarder output.conf file was my issue. Because of that output.conf file I have a duplicate copy of my data. Once I clear that up then I’m going to tackle clustering the indexers. 

Hi @TryingSplunk ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Well that just made this more confusing. Only one of the forwarders has an output.conf file.  The other ones do not. The forwarder that has the output.conf file is pointing to the indexer that’s full. That explains why when I brought this indexer online it immediately consumed so much. But that output.conf file was already sitting on that forwarder cause I didn’t even think about looking at forwarders when I added the additional indexer. Even stranger is why can I search the data with the indexer no longer in the peer group?  I’ve been going through db by db checking dates of indexes and searching and it’s all there.