Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

index replication unable to complete full index data

kplem
New Member
‎03-12-2013 01:56 AM

i have managed to set up cluster & index replication for 2 nodes for testing purpose. I have managed to replicate the index over to other splunk instance by editing the indexes.conf. However, the indexer seems to unable to replicate the full index. it only managed to index a very small amount of data over. Is there something missing. In short, i can see the replicated index on other splunk instance but the data is incomplete.

Tags (1)
0 Karma
Reply

jdunlea_splunk
Splunk Employee
Splunk Employee
‎03-12-2013 08:34 AM

Also, remember that if you are setting up a second indexer to engage in replication with an existing indexer, then the existing data will NOT be replicated. You will only replicate data that was indexed AFTER you enabled replication.

0 Karma
Reply

Steve_G_
Splunk Employee
Splunk Employee
‎03-13-2013 10:33 AM

For more information on what happens to data that was already indexed prior to the indexer getting converted to a cluster peer (aka, "legacy data"), see http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Migratenon-clusteredindexerstoaclustereden...

Reply

jdunlea_splunk
Splunk Employee
Splunk Employee
‎03-13-2013 07:29 AM

When you add a new "index", (and the repFactor attribute is set to "auto" in indexes.conf) then all data that enters that index will be replicated. If you add a new "indexER" (Note difference between "index" and "indexer") then all data in that indexer will be replicated, if you have indeed set it up as an indexer in the cluster pool. Replication happens all the time for every 64bit chunks of data (as far as I know). Hope that helps.

0 Karma
Reply

kplem
New Member
‎03-12-2013 06:06 PM

I think that is what happen to my set up. it only replicates what the peer has after the cluster set up. In that case, is there a way to allow the new index to have full replication of the data of its peer? Also does the replication occurs all the time or a time can be scheduled?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-12-2013 04:20 AM

Why do you believe the data is incomplete? How are you looking? If you're simply looking at the file size of the buckets, it's entirely expected that a non-searchable replica will be considerably smaller (1/3 or less) than the size of a searchable replica. A searchable replica should be approximately (but not necessarily exactly) the same size on both systems.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...