Getting Data In

Is replication possible with only two indexers?


I only have two machines/servers/indexers. Can I get true replication with only two systems?

Server-1 and Server-2. I can't build any additional servers.

I want to point all of my clients to Server-1. as the primary. I want Splunk to make sure Server-2's data is identical.

If I lose Server-1 I want my forwarders to point to their secondary server. i.e. Server-2.

When Server-1 comes back online I want everything to fail back to Server-1.

Is this possible with Splunk?

Oh yeah... I read the clustering with Splunk and it looks like you need about 5 physical machines to get it work. Remember I only have two.

0 Karma

Splunk Employee
Splunk Employee

Regarding your original question: 2 indexers => yes. 2 servers => no.

Single-site clustering would be the best approach for you, only then splunk can take over the replication part.
But not with only 2 servers. You need at least 4 instances (two peers, one master node, one search head).

Load balancing only helps for availability if server-1 goes down, but that doesn't mean your data are in sync.

You can set up an rsync job to keep warm and cold in sync (warm/cold buckets are read-only for splunk), but not hot buckets.

Well, you can limit the retention or size in hot to not loose too many data if server-1 fails.

If your hardware is performing enough you can set up different instances for different roles on the same machine using different IPs. Different ports is not enough. But this is fiddly and totally not supported.

And seriously: Why not creating the master node and search head virtual? Or the whole thing virtual?

Path Finder

I guess you will need to use some load balancer like F5 and forwarders should then send data to VIP

0 Karma


Thanks for the response...

But I think I can configure the clients (Universal forwarders) to send data to both Server-1 and Server-2 at the same time. I dont want to get in a situation where a link or server goes down for a while and when the systems return Server-1 has mas more records than Server-2.

That's why I want a true replicating daemon that can log into both systems and verify that the pools of data on Server-1 and Server-2 are identical ... (100% of the time).

All this with only two servers... 🙂

If this product cant support that than maybe I'll try to install all of the pieces of the clustering setup on the two servers i currently have.

--- /opt/splunk-master -- using ports 9000-9010
--- /opt/splunk-search-head -- using ports 9020-9030
--- /opt/splunk-peer -- using ports 9040-9050

--- /opt/splunk-search-head -- using ports 9020-9030
--- /opt/splunk-peer -- using ports 9040-9050

Maybe something like this would work..

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...