i know this has been asked before, such as https://answers.splunk.com/answers/432048/is-there-a-way-to-migrate-indexed-data-from-a-lega.html - but looking for clarification on replication and search factors.
If I were to start a 3-node indexer cluster with rf and sf set to 3, and copied all the buckets from the specific indexes to all nodes (including raw and index files), would all the historical data be searchable across the indexer cluster? i.e. is it enough to copy all the files there.
1 additional item to mention is that i may want to look at smartstore for some of the indexes, e.g. using S3, but still investigating the search usage to get a better idea of how far back data is being used and whether this might have a negative performance impact - if not, this is the way we'd want to go, and i believe sf/rf of 3 with 3 indexers would be needed for this.
splunk version is 7.3.1
I am not sure I understand your question completely but RF and SF are required to ensure you have data durability. I would not suggest to go for 3 rf and sf as u only have 3 indexers.
I would suggest to go for RF 2 and SF either 1 or 2 depending on requirements.
RF = 2 would mean that 2 copies of your data is available which would help in data availability in case of 1 of the server is not available
SF = 2 would mean you have 2 searchable copies. but this would also require more disk space as well.
Hey Akshatj2. What I am asking is:
If I have an existing data set on a single instance, and want to move that instance from standalone to clustered index, would the current dataset be searchable across the cluster if I were to copy all the buckets to all nodes?
With 3 indexers and a RF and SF of 3, it means each 1 of the nodes has a copy of the raw data AND index data, and so it can simplify backup solutions. I know it's not the best way to optimize space utilization, but it makes some of the management aspects a bit easier.