As I prefer to upgrade to 6.3, I'm debating whether to use multi-site clustering. We don't currently replicate any data, but that could happen in the future, on a specific index level. Looking at this doc - http://docs.splunk.com/Documentation/Splunk/6.2.7/Indexer/Multisiteclusters , I'm wondering if replication is all or nothing at the clustering layer.
Does anyone know if you can specifically replicate per index with multi-site clustering?
Regardless of whether you do single-site clustering or multi-site clustering, you must always specify which indexes should be replicated.
Simply set up clustering, and then add the following in indexes.conf to each index that you want replicated:
repFactor=auto
In addition to the repFactor=auto comment you can actually disable replication per index by using repFactor=0 in each stanza.
This can be useful for cherry picking which indexes to replicate or not depending on your situation.
Thanks. My other question is, with multi-site clustering, if I do replicate, will it automatically be sent to another site? My guess is yes, and that's the whole purpose...
If you set up multi-site clustering, you must tell Splunk how many copies go to each of the sites.
Once set up, replication is automatic.
This page (and the one after) expose the settings that let you control how many copies are replicated at the origin site and how many at alternate sites (if any): http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Sitereplicationfactor