Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Install ES on an Indexers Cluster

gcusello
SplunkTrust
SplunkTrust
‎09-20-2019 08:37 AM

Hi at all,
probably it's a stupid question, but I don't know very well if ES has special requirements for Indexers Clusters and documentation doesn't help me.
I took in charge a Splunk installation where I found an Indexers Cluster where is installed the Splunk_TA_ForIndexers containing the indexes.conf file for ES correctly deployed using Master Node.
The problem is that in indexes.conf there isn't the clause repFactor = auto in indexes stanzas, so indexes aren't replicated between the cluster!
I know that old events aren't replicated between Indexers, so what it will happen if I insert the clause in indexes.conf?

Thank you for your help.

Bye.
Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎09-20-2019 11:46 AM

If you want to modify indexes.conf to add repFactor = auto, follow these steps to recreate the Splunk_TA_ForIndexers and modify the indexes.conf outputted in that package, then deploy that updated package to your indexer cluster.
https://docs.splunk.com/Documentation/ES/5.3.1/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

The likely reason this is not set to auto is because repFactor is set to 0 by default, and the Splunk_TA_ForIndexers indexes.conf file combines the indexes.conf files in the add-ons selected when the TA is created. So if the indexes.conf files in those add-ons weren't set to replicate, it wouldn't get added.

I hope this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

edoardo_vicendo
Contributor
‎03-24-2021 10:36 AM

I think that in an Indexer Cluster by default all the Splunk "internal" indexes should have repFactor=auto, at least under /opt/splunk/etc/master-apps/_cluster/default/indexes.conf

I opened the following Splunk Idea to ask for the implementation:

https://ideas.splunk.com/ideas/EID-I-898

0 Karma
Reply
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎09-20-2019 11:46 AM

If you want to modify indexes.conf to add repFactor = auto, follow these steps to recreate the Splunk_TA_ForIndexers and modify the indexes.conf outputted in that package, then deploy that updated package to your indexer cluster.
https://docs.splunk.com/Documentation/ES/5.3.1/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

The likely reason this is not set to auto is because repFactor is set to 0 by default, and the Splunk_TA_ForIndexers indexes.conf file combines the indexes.conf files in the add-ons selected when the TA is created. So if the indexes.conf files in those add-ons weren't set to replicate, it wouldn't get added.

I hope this helps!

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-20-2019 08:51 AM

from the moment you insert the clause, data will replicate according to policies

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...