Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

migrating from single server to indexer cluster with replicated data

brettcave
Builder
‎10-06-2019 12:39 PM

i know this has been asked before, such as https://answers.splunk.com/answers/432048/is-there-a-way-to-migrate-indexed-data-from-a-lega.html - but looking for clarification on replication and search factors.

If I were to start a 3-node indexer cluster with rf and sf set to 3, and copied all the buckets from the specific indexes to all nodes (including raw and index files), would all the historical data be searchable across the indexer cluster? i.e. is it enough to copy all the files there.

1 additional item to mention is that i may want to look at smartstore for some of the indexes, e.g. using S3, but still investigating the search usage to get a better idea of how far back data is being used and whether this might have a negative performance impact - if not, this is the way we'd want to go, and i believe sf/rf of 3 with 3 indexers would be needed for this.

splunk version is 7.3.1

0 Karma
Reply

akshatj2
Path Finder
‎10-06-2019 04:23 PM

Hi Brettcave,

I am not sure I understand your question completely but RF and SF are required to ensure you have data durability. I would not suggest to go for 3 rf and sf as u only have 3 indexers.

I would suggest to go for RF 2 and SF either 1 or 2 depending on requirements.

RF = 2 would mean that 2 copies of your data is available which would help in data availability in case of 1 of the server is not available

SF = 2 would mean you have 2 searchable copies. but this would also require more disk space as well.

0 Karma
Reply

brettcave
Builder
‎10-08-2019 12:04 AM

Hey Akshatj2. What I am asking is:

If I have an existing data set on a single instance, and want to move that instance from standalone to clustered index, would the current dataset be searchable across the cluster if I were to copy all the buckets to all nodes?

With 3 indexers and a RF and SF of 3, it means each 1 of the nodes has a copy of the raw data AND index data, and so it can simplify backup solutions. I know it's not the best way to optimize space utilization, but it makes some of the management aspects a bit easier.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...