Solved: Data Archiving and Clusters

mcclainsm47 · ‎11-07-2013

I have a clustered Splunk set up with 3 indexing peers and a replication factor of 3. There are a couple of indexes that need to be archived when frozen instead of deleted, but I want to avoid having duplicate copies. The documentation mentions: "You cannot solve this problem by archiving just the data on a single node, since there's no certainty that a single node contains all the data in the cluster."

However, I'm thinking that only applies when you've got more indexers than your search factor. Since the number of indexers = replication factor, each server should have all the buckets and thus I would be able to just keep buckets from one of them. Am I missing something?

mahamed_splunk · ‎11-21-2013

Yes, at the time of archiving if the cluster master dashboard is green, then you can take backup from a single server.

View solution in original post

mahamed_splunk · ‎11-21-2013

Yes, at the time of archiving if the cluster master dashboard is green, then you can take backup from a single server.

Data Archiving and Clusters

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation