Solved: Is it better to have 1 big indexer or 2 small inde...

horsefez · ‎01-14-2016

Hi,

I'm planning on deploying a Splunk infrastructure.

I'm currently undecided whether I should build the infrastructure according to the following configurations.

Multisite-Cluster hosted across two data centers with one ESX Server each
Bare Metal Virtualization
1 Master Node residing on only one of the data centers
1 Search Head for each data center (hosted on ESX)
1 Indexer for each datacenter (hosted on ESX)
OR
2 Indexers for each datacenter (hosted on ESX)

With 1 indexer on each site, I planned to have a replication factor of 2 and a search factor of 2 and a site-rep-factor of 1.
With 2 indexers on each site a replication factor of 4 and a search factor of 3 and a site-rep-factor of 2.

Is it advisable to host 2 smaller indexers instead of one big indexer?
Are there performance benefits or caveats?

Regards,
pyro_wood

lguinn2 · ‎01-14-2016

Multi-site clustering requires at least 2 indexers per site. Both of them must meet Splunk's minimum requirements.

View solution in original post

lguinn2 · ‎01-14-2016

Multi-site clustering requires at least 2 indexers per site. Both of them must meet Splunk's minimum requirements.

horsefez · ‎01-15-2016

Thank you, I didn't take this into consideration

jbrocks · ‎09-16-2019

I think you could also have a multi site cluster with one site and one indexer

Is it better to have 1 big indexer or 2 small indexers per site in a multisite indexer clustering environment?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life