Deployment Architecture

acceleration with tscollect in indexer cluster

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I have an Indexer Cluster where each Indexer is accessed by users as a stand alone server, in other words there aren't Search Heads.
Now I accelerated some data using txidx file (tscollect command).

My question is: txidx files are replicable between indexers or they are locally generated on each server by the same scheduled search?
in other words: I have to schedule my schedulead search on one indexers configure tsidx files replication or I have to schedule the same search on both the Indexers?

Thank you for you help.

Bye.
Giuseppe

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

The tscollect command uses indexed fields to create time series index (tsidx) files in a namespace that you define. The results are written locally to the instance you run the search on so they are not replicated across an index cluster. This is true even if running the search directly on an indexer via splunk web.

I would recommend adding a search head (stand alone or search head cluster) to this deployment and peering that with your index cluster. Perhaps instead of using tscollect you can use datamodel acceleration (build DMA on search head) and then enable summary_replication = true on your index cluster master.

By default, indexer clusters do not replicate report acceleration and data model acceleration summaries. This means that only primary bucket copies will have associated summaries.

You can configure the master so that the cluster does replicate summaries. All searchable bucket copies will then have associated summaries. This is the recommended behavior.

Note: The replicated summary feature is not available for peer nodes running version 6.3 or below.

If you want the cluster to replicate summaries, you must set this attribute in the master node's server.conf file:

[clustering]
summary_replication = true
You must restart the master.

You can also use the CLI on the master node to set the attribute:

splunk edit cluster-config -summary_replication true
This command does not require a restart.

When the cluster is configured to replicate summaries, the cluster takes steps to ensure that each searchable bucket copy has an associated summary copy:

For hot buckets. The cluster creates a summary for each searchable copy of a hot bucket.
For warm/cold buckets. The cluster replicates summaries for searchable copies of warm or cold buckets, when necessary. The cluster will use replication to fill in any missing summaries for searchable copies of warm or cold buckets.
When you turn on summary replication for the first time, the cluster might need to replicate a large number of summaries. This can have an impact on network bandwidth. To limit the number of summary replications occurring simultaneously, you can change the value of the max_peer_sum_rep_load attribute in the master node's server.conf file. Its default value is 5.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...