Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

multi-site

hazem
Path Finder
‎06-09-2024 03:42 AM

 

We have been running our indexer cluster as a multisite cluster with 3 indexers in our main site for the past year.with the below configuration:

site_replication_factor = origin:2,total:2

site_search_factor = origin:1,total:1

now we have decided to establish a disaster recovery site with an additional 3 indexers.

The expected configuration for the new DR site will be as follows:

site_replication_factor = origin:2, total:3

site_search_factor = origin:1, total:2

I would like to address the question about how replication will work once the DR indexer is configured?

will the replication process start syncing all logs in the hot, warm and cold buckets or will start real-time hot  logs only??

Labels (1)
Labels
0 Karma
Reply

hazem
Path Finder
‎06-09-2024 07:03 AM

please note that the DR site did not exist once we implemented the Multi-site cluster so we decided to insert the below configuration

site_replication_factor = origin:2,total:2

available_sites = site1

which the cluster did not sync any data to the DR site which already did not exist at the beginning of the implementation.

now the DR site will be up and we will install new 3 indexers in it. 

we will reconfigure the cluster manager with the bellow conf to add one copy of data  to DR indexer so the question is all logs (20TB) will be transferred to DR site?or just realtime logs?

 

before installing DR indexers:

site_replication_factor = origin:2, total:2

available_sites = site1

after installing DR indexers

site_replication_factor = origin:2, total:3

available_sites = site1,site2

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2024 08:38 AM

The site replication factor applies to *all* buckets (except thawed) so the cluster will create a third copy of all data, not just data that arrives after the change is made.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hazem
Path Finder
‎06-09-2024 06:19 AM

Hi @richgalloway  thank you for your reply 

you said that the cluster immediately will create additional copies of all hot, warm, and cold buckets. 

Do you mean that the additional copy will be copied to the DR site?

but if I have data in the main site like 8TB in hot/warm and 12TB for cold .the cluster will replicate all  8TB and 12 TB logs to DR indexers?

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2024 06:32 AM

The cluster will do what is necessary to meet the replication and search factors.  That may mean replicating 20TB of data to the other site.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2024 04:45 AM

Once the RF is increased, the cluster immediately will create additional copies of all hot, warm, and cold buckets.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...