Data replication across indexers with license pool...

DFresh4130 · ‎07-03-2014

We currently have one server running the indexer and search head. We're looking into adding a second indexer on a different host to take advantage of license pools. The new indexer would be set up to where only a subset of our clients would be pointing to it as we've had issues with another group consuming too much of our license. If we take that approach, will the data be replicated between both indexers to where we can take advantage of additional search resources or do indexers only keep they data being sent to them by the forwarders configured to use them?

Ayn · ‎07-03-2014

By default indexers do not automatically replicate data. You can enable this behaviour though by setting up index clusters. The docs have excellent explanations on how it works in detail, so I'll just refer to those: http://docs.splunk.com/Documentation/Splunk/6.1.2/Indexer/Aboutclusters

datasearchninja · ‎07-03-2014

The indexer that receives the data from the forwarder will be the primary bucket for that data.

If you configure clustering/replication, the primary bucket will be copied to other indexers to meet whatever replication factor has been configured.

In a single site setup, any search will prefer to use the primary bucket for returning results if it is available.

DFresh4130 · ‎07-03-2014

Ok, so I'm a little confused on the data the forwarders are sending. Do you have to load balance the forwarders between all indexers or can I point forwarders A,B,C to indexer 1 and forwarders D,E,F to indexer 2 and still have replication work correctly?

Data replication across indexers with license pools enabled

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM