Deployment Architecture

multi-site

hazem
Path Finder

we plan to have a multi-site clustering setup in HQ and DR so the question is can i configure the indexers located at DR with a retention policy less than indexers located at HQ?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

in an Indexer Cluster (single site or multisite) usually retention is the same in both sites, because you should have, at least, one searcheable copy of data in each site.

If you have to design a multisite Indexer Cluster, engage a Splunk Architect (or a Splunk PS), it's always better

Ciao.

Giuseppe

View solution in original post

hazem
Path Finder

thanks @gcusello 

but i have other scenario if i decide to install  stand alone indexer in DR site and editing  in outputs.conf  for agents to add new stand alone indexer located at DR .at this stage data will forward to indexer which managed by master node at main site  and also standalone  DR indexer .

and configure retention period in DR site less than main site .

do you recommend this approach

 

 

 

0 Karma

hazem
Path Finder

Hi @gcusello 

Regarding this point you have raised:

You cannot configure stand alone Indexers, you can configure two IDX located in two different locations and managed by a Cluster Master.

so if i used this approach  and during DR Drill all node located in one site and also cluster master node  will be down and searching will be affect.

am i right?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem,

for my knowledge a multisite IDX Custer requires at least two IDXs for each site!

If you want to put an IDX in each site is phisically a multisite Indexer Cluster but it's a simple Indexer Cluster with two nodes located in two different sites.

You cannot configure stand alone Indexers, you can configure two IDX located in two different locations and managed by a Cluster Master.

I applied this configuration in one project, it's the minimal configuration to have the full dataset in two locations.

About configuration, as I said, you have to consider your architecture a single site Indexer Cluster and configure it in this way.

About retention, there's no sense to have a different retention in the two sites because if you have to use the secondary site you cannot search in all data!

And I'm not sure that's possible to define a different retention for the two IDXs.

Never speak of two stand alone Indexers because if you want data replication (without paying double license) you must use a Cluster.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, for this reason you cannot have a minor retention time in the secondary site.

The secondary site continue to work (also without CM) until the primary site and CM will come up again, at this point there will be the data balancing replicating the data indexed during the DR. 

Ciao.

Giuseppe

0 Karma

hazem
Path Finder

hello @gcusello 

i think the below answer will be sittable  for multi-site cluster and in single  single site-cluster during DR Drill both of nodes will down and may search affect.

am i right?

 

During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, for this reason you cannot have a minor retention time in the secondary site.

The secondary site continue to work (also without CM) until the primary site and CM will come up again, at this point there will be the data balancing replicating the data indexed during the DR

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

when the primary site is down, you can access the secondary site Indexer for searches.

But rememeber that using an IDX cluster, you must use a Search Head to search on the two clustered Indexers, it isn't possible to use the same server for searches as a stand-aone server.

From version 7 Splunk IDX Cluster is accessible only using a Search Head

Ciao.

Giuseppe

0 Karma

hazem
Path Finder

hello @gcusello 

thank you for your reply 🙏

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

in an Indexer Cluster (single site or multisite) usually retention is the same in both sites, because you should have, at least, one searcheable copy of data in each site.

If you have to design a multisite Indexer Cluster, engage a Splunk Architect (or a Splunk PS), it's always better

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...