Knowledge Management

peer nodes vs. indexer nodes

tim_snider
Explorer

Basic / understanding question here.
The documentation refers to both indexer and peer nodes. After reading it is true that:
Peer nodes are indexers and that all peer nodes also have indexer functionality;
Peer nodes also replicate data to other peer nodes?
Do all peer nodes serve as indexers - are the other responsibility / functionality differences between peers and indexers? Is there a concept as a "straight indexer node"?
A RTFM response is fine 😉 just point me to a page (please).
Thx.

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Well you are basically right. When setting up Distributed Search, with a dedicated Search Head, and one or more Indexers, those Indexers are referred to as "search peers", whereas in a cluster setup, the servers that are indexing incoming data and replicating indexed data between themselves are referred to as "peer nodes". In a single server setup, there will be no peers, just a combined search head/indexer.

So yes, you could say that indexer = peer, but if you want to thoroughly correct, I believe you could say that an indexer indexes data, and the peer responds to remote requests for data. It's all about which point of view you have.

http://docs.splunk.com/Splexicon:Peernode
http://docs.splunk.com/Splexicon:Searchpeer
http://docs.splunk.com/Splexicon:Indexer

Hope this helps,

/k

dmaislin_splunk
Splunk Employee
Splunk Employee

But you included the links 🙂

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Sorry for the confusion. Peer nodes are your indexers. They are all peers to each other. The search head sends a search down to the peers where the peers(indexer) run the search and return the results back to the search head. If you also have a Splunk cluster defined, then you can tell your indexers to make N number of copies of the indexed data across the peers. This can have a replication factor and a search factor where a search factor also replicates the meta data.

dmaislin_splunk
Splunk Employee
Splunk Employee

Please accept this answer with the check box if it meets your needs. Thanks!

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Replicated for data availability. A search does not run parallel if the data exists in two places at once. The cluster master tells the search head which places to go get the data. If something goes down, the cluster master updates the list of peers to search.

0 Karma

tim_snider
Explorer

no problem - thx for the response. Is data replicated for data availability in case of hardware failure, additional indexing capability, or both?

0 Karma

kristian_kolb
Ultra Champion

dang. late again!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...