Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multi-site

hazem
Path Finder
‎06-09-2024 03:42 AM

 

We have been running our indexer cluster as a multisite cluster with 3 indexers in our main site for the past year.with the below configuration:

site_replication_factor = origin:2,total:2

site_search_factor = origin:1,total:1

now we have decided to establish a disaster recovery site with an additional 3 indexers.

The expected configuration for the new DR site will be as follows:

site_replication_factor = origin:2, total:3

site_search_factor = origin:1, total:2

I would like to address the question about how replication will work once the DR indexer is configured?

will the replication process start syncing all logs in the hot, warm and cold buckets or will start real-time hot  logs only??

Labels (1)
Labels
0 Karma
Reply

hazem
Path Finder
‎06-09-2024 07:03 AM

please note that the DR site did not exist once we implemented the Multi-site cluster so we decided to insert the below configuration

site_replication_factor = origin:2,total:2

available_sites = site1

which the cluster did not sync any data to the DR site which already did not exist at the beginning of the implementation.

now the DR site will be up and we will install new 3 indexers in it. 

we will reconfigure the cluster manager with the bellow conf to add one copy of data  to DR indexer so the question is all logs (20TB) will be transferred to DR site?or just realtime logs?

 

before installing DR indexers:

site_replication_factor = origin:2, total:2

available_sites = site1

after installing DR indexers

site_replication_factor = origin:2, total:3

available_sites = site1,site2

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2024 08:38 AM

The site replication factor applies to *all* buckets (except thawed) so the cluster will create a third copy of all data, not just data that arrives after the change is made.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hazem
Path Finder
‎06-09-2024 06:19 AM

Hi @richgalloway  thank you for your reply 

you said that the cluster immediately will create additional copies of all hot, warm, and cold buckets. 

Do you mean that the additional copy will be copied to the DR site?

but if I have data in the main site like 8TB in hot/warm and 12TB for cold .the cluster will replicate all  8TB and 12 TB logs to DR indexers?

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2024 06:32 AM

The cluster will do what is necessary to meet the replication and search factors.  That may mean replicating 20TB of data to the other site.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2024 04:45 AM

Once the RF is increased, the cluster immediately will create additional copies of all hot, warm, and cold buckets.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...