Getting Data In

Data Archiving and Clusters

mcclainsm47
Engager

I have a clustered Splunk set up with 3 indexing peers and a replication factor of 3. There are a couple of indexes that need to be archived when frozen instead of deleted, but I want to avoid having duplicate copies. The documentation mentions: "You cannot solve this problem by archiving just the data on a single node, since there's no certainty that a single node contains all the data in the cluster."

However, I'm thinking that only applies when you've got more indexers than your search factor. Since the number of indexers = replication factor, each server should have all the buckets and thus I would be able to just keep buckets from one of them. Am I missing something?

Tags (2)
1 Solution

mahamed_splunk
Splunk Employee
Splunk Employee

Yes, at the time of archiving if the cluster master dashboard is green, then you can take backup from a single server.

View solution in original post

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

Yes, at the time of archiving if the cluster master dashboard is green, then you can take backup from a single server.

0 Karma
Get Updates on the Splunk Community!

This dashboard view is deprecated and will be removed in future versions of Splunk ...

After upgrading to Splunk Enterprise 9.0 I do get the following message from several Dashboard.This dashboard ...

How to ingest a selection of JSON fields

I have a dump.json file that collects events in JSON format:<BR ...

Why getting timeout error while adding data to the Splunk cloud index from REST API?

Hello Team,<BR /><BR />I am getting timeout error while adding data to Splunk cloud index from REST API. I am ...