Solved: If I config 2 Indexer in Index Cluster save frozen...

jacknguyen · ‎05-15-2024

I have 2 Index in Index Cluster

Hot, Cold, Frozen

Hot and Cold are different disks

Frozen will use same disk for both Index

my question is: " The log will be replicated, Or Can I save just one Index into a Frozen and use it for backup Index Cluster?"

gcusello · ‎05-19-2024

Hi @jacknguyen,

yes, if you're speaking of frozen buckets, you don't need to save buckets from both the Indexers, but only one.

Put attention to one thing: in an Indexer cluster, buckets are present in two parts: the part indexed by the same Indexer and the part indexed by the other Indexer and replicated on the first: you have to back-up both of them.

Ciao.

Giuseppe

View solution in original post

jacknguyen · ‎05-17-2024

What if I just save only One Indexer for backup log, Is it work for both Indexer?

gcusello · ‎05-17-2024

Hi @jacknguyen,

what do you mean with backup log?

in an indexer you have hot/warm and cold buckets, that you have to store in a filesystem (not NFS and not shared) and each one different.

If you want to have a copy of your data, you can do it, what what's the meaning of?

You can have a backup, but usually only warm and cold buckets are under backup policy because to backup hot buckets (that continously change) you need to stop Splunk.

Ciao.

Giuseppe

jacknguyen · ‎05-17-2024

Well I mean in Frozen log, If I save One Indexer and use it like a backup for Splunk Indexer Cluster. Is it ok? Or each Indexers just can use by only their Frozen. Sorry beacause the question is not clearly

gcusello · ‎05-17-2024

Hi @jacknguyen ,

in this case (Frozen buckets), you can use the above filesystem for Frozen buckets., but not for hot, warm or cold buckets.

Ciao.

Giuseppe

jacknguyen · ‎05-19-2024

You mean, I can use 2 folder for two Indexer in a disk? I wanna ask If I just use one folder and save one Frozen' s Indexer 1 which can be used for backup data for all Indexer Cluster (both Indexer 1 and 2), Is that ok? I'm very hard to find document say clearly about this. My customer wanna know about that.

Do you know any documents Splunk say about this situation?

gcusello · ‎05-19-2024

Hi @jacknguyen,

yes, if you're speaking of frozen buckets, you don't need to save buckets from both the Indexers, but only one.

Put attention to one thing: in an Indexer cluster, buckets are present in two parts: the part indexed by the same Indexer and the part indexed by the other Indexer and replicated on the first: you have to back-up both of them.

Ciao.

Giuseppe

gcusello · ‎05-20-2024

Hi @jacknguyen ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎05-15-2024

Hai @jacknguyen ,

It isn't a best practice to use the same shared disk for more Indexers for many reasons,One of the Is that NFS isn't to use for Splunk storage.

It this is the only way (with mucho care and sure problems!), eventually use different folders.

Ciao

Giuseppe

If I config 2 Indexer in Index Cluster save frozen log into 1 disk, Log would be replicated?

alias

kvstore

summary indexing

transaction

workflow action

Buttercup Games Tutorial Extension - part 9

Buttercup Games Tutorial Extension - part 8

Introducing the Splunk Developer Program!

Are you a member of the Splunk Community?

If I config 2 Indexer in Index Cluster save frozen log into 1 disk, Log would be replicated?