Deployment Architecture

architecture to support a single-site index in a multisite indexing cluster?

gedworksplunk
Engager

Hello Splunk Gurus,

I have a multisite indexing cluster in Splunk 6.6.1 spanning two sites: small & big.

The "big/site1" site is configured with RF=3/SF=2.
Due to having way less disk, the "small/site2" is configured with RF=1/SF=1.

Is there a way to define an index that would be replicated locally on "big/site1" with RF=3/SF=2, but would not be sent to the "small/site2" at all.
Would changing the per-index definition from "repFactor=auto" to "repFactor=3" deliver what I am looking for? (replicated, but on a single-site originating site)?

Could I achieve this by abandoning the index_master for distributing the indexes.conf file and managing by myself the hand copy/edit of the various index files and rolling-restart of the indexers?

Thanks,

0 Karma
1 Solution

Steve_G_
Splunk Employee
Splunk Employee

It looks like you're attempting to use the single-site replication/search factor settings for a multisite cluster. The multisite replication factor uses the setting site_replication_factor, which combines the individual site RFs, as well as origin site RF and the total (cluster-wide) RF. See http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Sitereplicationfactor

Also, repFactor is a binary setting that turns replication on or off for an index. Its only valid values are 0 and auto. See http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes#The_indexes.conf_r...

To answer your last question, you must deploy indexes.conf using the configuration bundle method, which distributes the file from the master to the peer nodes. Bypassing the configuration bundle method will likely result in unintended consequences. See http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Managecommonconfigurations

I am not sure that there is a way to get exactly what you want out of site_replication_factor, but read through the page cited above. By adjusting the site replication factors, along with the total and origin fields, you might get close.

View solution in original post

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

It looks like you're attempting to use the single-site replication/search factor settings for a multisite cluster. The multisite replication factor uses the setting site_replication_factor, which combines the individual site RFs, as well as origin site RF and the total (cluster-wide) RF. See http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Sitereplicationfactor

Also, repFactor is a binary setting that turns replication on or off for an index. Its only valid values are 0 and auto. See http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes#The_indexes.conf_r...

To answer your last question, you must deploy indexes.conf using the configuration bundle method, which distributes the file from the master to the peer nodes. Bypassing the configuration bundle method will likely result in unintended consequences. See http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Managecommonconfigurations

I am not sure that there is a way to get exactly what you want out of site_replication_factor, but read through the page cited above. By adjusting the site replication factors, along with the total and origin fields, you might get close.

0 Karma

gedworksplunk
Engager

Thank you Steve G. for your answer.

I found that there is no way to setup a multisite indexer cluster with some indexes replicated on all sites, and some just for a particular indexer cluster described in the documentation.

Having an index on a single peer is supported though ( http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Managesinglepeerconfigurations#Add_an_inde... )

So what I ended up doing to get a one-site-only index is to:
Create a new file on the index master:
etc/slave-apps/_cluster/local/site1-big-indexes.conf
which is part of the configuration bundle.

Then, I can use the usual:
splunk apply configuration-bundle
which ensures that new revision of that file makes it to all indexers (or none).

I do get a warning:

[Not Critical]No spec file for: /indexmaster/etc/master-apps/_cluster/local/site1-big-indexes.conf

I went on every indexer on that particular "big" site and added a symbolic link:
cd etc/system/local; ln -sf ../../slave-apps/_cluster/local/site1-big-indexes.conf indexes.conf

The only thing which is not automatically taken care of is the rolling restart if I update the site-only site-big-indexes.conf
I just manually issue a:
splunk rolling-restart cluster-peers
for that.

This seems to work, I now have indexes replicated on all sites and some that are replicated on one site only.

Thanks,

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...