Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data replication across indexers with license pools enabled

DFresh4130
Path Finder
‎07-03-2014 11:28 AM

We currently have one server running the indexer and search head. We're looking into adding a second indexer on a different host to take advantage of license pools. The new indexer would be set up to where only a subset of our clients would be pointing to it as we've had issues with another group consuming too much of our license. If we take that approach, will the data be replicated between both indexers to where we can take advantage of additional search resources or do indexers only keep they data being sent to them by the forwarders configured to use them?

0 Karma
Reply

Ayn
Legend
‎07-03-2014 11:45 AM

By default indexers do not automatically replicate data. You can enable this behaviour though by setting up index clusters. The docs have excellent explanations on how it works in detail, so I'll just refer to those: http://docs.splunk.com/Documentation/Splunk/6.1.2/Indexer/Aboutclusters

0 Karma
Reply

datasearchninja
Communicator
‎07-03-2014 08:37 PM

The indexer that receives the data from the forwarder will be the primary bucket for that data.

If you configure clustering/replication, the primary bucket will be copied to other indexers to meet whatever replication factor has been configured.

In a single site setup, any search will prefer to use the primary bucket for returning results if it is available.

0 Karma
Reply

DFresh4130
Path Finder
‎07-03-2014 01:25 PM

Ok, so I'm a little confused on the data the forwarders are sending. Do you have to load balance the forwarders between all indexers or can I point forwarders A,B,C to indexer 1 and forwarders D,E,F to indexer 2 and still have replication work correctly?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...