Solved: Data Archiving and Clusters

mcclainsm47 · ‎11-07-2013

I have a clustered Splunk set up with 3 indexing peers and a replication factor of 3. There are a couple of indexes that need to be archived when frozen instead of deleted, but I want to avoid having duplicate copies. The documentation mentions: "You cannot solve this problem by archiving just the data on a single node, since there's no certainty that a single node contains all the data in the cluster."

However, I'm thinking that only applies when you've got more indexers than your search factor. Since the number of indexers = replication factor, each server should have all the buckets and thus I would be able to just keep buckets from one of them. Am I missing something?

mahamed_splunk · ‎11-21-2013

Yes, at the time of archiving if the cluster master dashboard is green, then you can take backup from a single server.

View solution in original post

mahamed_splunk · ‎11-21-2013

Yes, at the time of archiving if the cluster master dashboard is green, then you can take backup from a single server.

Data Archiving and Clusters

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!