deploying splunk multisite cluster with 1 indexer ...

vitojij183 · ‎11-05-2020

hi

I wanna deploy multisite cluster with 2 sites, 1 in-branch and another in a datacenter, I have 1 indexer for each site,

I wanna each site have a copy of another site if the one site goes down, but I really dont understand about site replication factor and search factor. can someone please help me to figure out how to deploy this cluster?

best regards

isoutamo · ‎11-05-2020

I think that this is doable by setting local SF + RF = 1 and site_SF+RF: origin:1, total:2
But when you are bringing it up it don't start to working before both nodes are up.
I propose that try to get at least 2 indexer per site to get this working without bigger challenges.

vitojij183 · ‎11-05-2020

another question,

i dont understand this line "But when you are bringing it up it don't start to working before both nodes are up."

can you explain it more ?

thank you

isoutamo · ‎11-05-2020

As you have only one node per site and both sites must have one copies of buckets, then it’s not functional before both sites have one node up and running. Of course you could force it to star manually on cm if needed.

vitojij183 · ‎11-05-2020

thank you for your answer

what happens if I add this configuration on the master node with my architecture?

multisite = true
available_sites = site1,site2
site_replication_factor = origin:1,site1:1,site2:1,total:2
site_search_factor = origin:1,site1:1,site2:1,total:2
replication_factor = 2

best regards

isoutamo · ‎11-05-2020

It didn't work as you set replication_factor as 2 and you have only 1 node on site. Also search_factor must be 1.
r. Ismo

deploying splunk multisite cluster with 1 indexer per site

indexer clustering

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector