Deployment Architecture

architecture to support a single-site index in a multisite indexing cluster?

Hello Splunk Gurus,

I have a multisite indexing cluster in Splunk 6.6.1 spanning two sites: small & big.

The "big/site1" site is configured with RF=3/SF=2.
Due to having way less disk, the "small/site2" is configured with RF=1/SF=1.

Is there a way to define an index that would be replicated locally on "big/site1" with RF=3/SF=2, but would not be sent to the "small/site2" at all.
Would changing the per-index definition from "repFactor=auto" to "repFactor=3" deliver what I am looking for? (replicated, but on a single-site originating site)?

Could I achieve this by abandoning the index_master for distributing the indexes.conf file and managing by myself the hand copy/edit of the various index files and rolling-restart of the indexers?


0 Karma

Re: architecture to support a single-site index in a multisite indexing cluster?

Splunk Employee
Splunk Employee

It looks like you're attempting to use the single-site replication/search factor settings for a multisite cluster. The multisite replication factor uses the setting sitereplicationfactor, which combines the individual site RFs, as well as origin site RF and the total (cluster-wide) RF. See

Also, repFactor is a binary setting that turns replication on or off for an index. Its only valid values are 0 and auto. See

To answer your last question, you must deploy indexes.conf using the configuration bundle method, which distributes the file from the master to the peer nodes. Bypassing the configuration bundle method will likely result in unintended consequences. See

I am not sure that there is a way to get exactly what you want out of sitereplicationfactor, but read through the page cited above. By adjusting the site replication factors, along with the total and origin fields, you might get close.

View solution in original post

0 Karma

Re: architecture to support a single-site index in a multisite indexing cluster?

Thank you Steve G. for your answer.

I found that there is no way to setup a multisite indexer cluster with some indexes replicated on all sites, and some just for a particular indexer cluster described in the documentation.

Having an index on a single peer is supported though ( )

So what I ended up doing to get a one-site-only index is to:
Create a new file on the index master:
which is part of the configuration bundle.

Then, I can use the usual:
splunk apply configuration-bundle
which ensures that new revision of that file makes it to all indexers (or none).

I do get a warning:

[Not Critical]No spec file for: /indexmaster/etc/master-apps/_cluster/local/site1-big-indexes.conf

I went on every indexer on that particular "big" site and added a symbolic link:
cd etc/system/local; ln -sf ../../slave-apps/_cluster/local/site1-big-indexes.conf indexes.conf

The only thing which is not automatically taken care of is the rolling restart if I update the site-only site-big-indexes.conf
I just manually issue a:
splunk rolling-restart cluster-peers
for that.

This seems to work, I now have indexes replicated on all sites and some that are replicated on one site only.


0 Karma